On January 31, 2020, the UK will cease to be a member of the European Union and European Economic Area (EEA). As a consequence:
- The EU's General Data Protection Regulation (GDPR) will continue to apply, in particular to entities established in the post-Brexit EEA or established outside the EEA, but targeting individuals there. The GDPR will, however, cease to apply to similar activities conducted in UK.
- Brexit therefore complicates transfers to the UK from the EEA, since following the UK's departure from the EU, such transfers will become "international transfers" and, as such, depend on specific legal bases set out in the GDPR.
- The UK will maintain the current rules for transfers from the UK to the EEA. UK entities may require local representation in EEA countries and EEA entities may require such representation in the UK.
- UK-US and EEA-US transfers can continue under Privacy Shield or other mechanisms.
- Since the UK will become a third-country, companies should review the legal bases of transfers to/from UK and the EEA and US and amend processes and documentation accordingly.
B. Introduction – The Issues
Following Brexit on January 31, 2020, the UK will no longer be a member of the EU/EEA: it will become a "third country," including for the purposes of EU data protection law, in particular the GDPR. While the Withdrawal Agreement concluded between the EU27 and the UK allows continued processing of personal data during a transition period (until expiry on December 31, 2020), thereafter third-country status for the UK will have two principal consequences. It will be necessary to determine: (i) whether a UK entity is still subject to the GDPR; and (ii) whether there is a lawful basis for personal data transfers between the UK and the EU/EEA.
1. Establishment in the EU/EEA
The GDPR will apply:
- Where personal data is being processed;
- In the context of the activities of an establishment of a controller or processor in the EEA;
- Irrespective of whether the processing takes place in the EEA or not.
As to where an entity has its establishment, the Court of Justice of the EU has held that the concept of an "establishment" is a "broad and flexible" one, which does not depend on legal form. An entity can be "established" within the EU where it exercises "any real and effective activity - even a minimal one" through "stable arrangements." The presence of a single representative may be sufficient. In Weltimmo v. NAIH (for example), although Weltimmo was incorporated in Slovakia, it was deemed to be established in Hungary, thus enabling Hungarian enforcement of data protection rules. Its establishment in Hungary arose due to Weltimmo's use of:
- A website in Hungarian that advertised Hungarian properties;
- A local agent for debt collection and administrative and judicial proceedings; and
- The use of a Hungarian postal address and bank account for business purposes.
2. Non-EU Established Entities:
Even entities that are not established in the EU/EEA are subject to the GDPR where they process the personal data of individuals who are in the EU/EEA in connection with:
- The "offering of goods or services" (no payment is required) to such individuals in the EU/EEA; or
- "Monitoring" their behavior, in so far as their behavior takes place within the EU.
This territorial scope of the GDPR is broad (and is often referred to as "long-arm jurisdiction").
Furthermore, where a UK entity requests an entity in the EEA to transfer personal data that has been collected in the EEA to the UK, the UK will be a third country after the end of the Brexit transition period and any such transfer will become subject to strict provisions of the GDPR. There is no minimum threshold for personal data transfers outside the EEA and the GDPR continues to regulate whether such as transfer is lawful.
The following headings examine selected conditions for a lawful transfer.
C. Article 45, GDPR – Adequacy Decision
In order to facilitate international transfers of personal data, the GDPR sets out various transfer mechanisms. One of these is an "adequacy decision," i.e. where the European Commission has decided that the third country (the UK) ensures an "adequate level of data protection." As noted above, the GDPR will continue to apply to the UK until December 31, 2020. During this period, the Commission will need to assess the UK's adequacy before it grants any adequacy decision; this process has yet to take place. When assessing whether to grant an adequacy decision, Article 45, GDPR sets out what the Commission must consider, in particular:
- The UK's respect for the rule of law, human rights and fundamental freedoms, the protection provided by the UK Data Protection Act 2018 and relevant legislation (both general and sectoral), public security, defense, national security and criminal law and the access of public authorities to personal data, rules for the onward transfer of personal data to another third country, the existence of effective and enforceable rights for individuals and effective administrative and judicial redress for individuals whose personal data is being transferred;
- The existence and effective functioning of independent supervisory authorities in the UK, adequate enforcement powers, the ability of individuals to exercise their rights and measures enabling cooperation with the supervisory authorities of the EU Member States; and
- The international commitments into which the UK has entered.
Even if the Commission grants a favorable decision, it must subsequently monitor developments in the UK and, if it considers that the UK no longer provides an adequate level of protection, it can repeal, amend or suspend its decision.
With regard to EU-US transfers, companies can use the Privacy Shield: this is a framework for the transatlantic exchange of EEA personal data, deemed adequate by the Commission.
D. Article 46, GDPR – Transfers Subject to Appropriate Safeguards
In the absence of an adequacy decision, a controller or processor in the EEA may only transfer personal data to a third country if the third-country controller or processor has provided "appropriate safeguards." Relevant safeguards include:
- "Binding corporate rules" adopted in accordance with Article 47, GDPR;
- "Standard data protection clauses" adopted by the Commission or adopted by a supervisory authority and approved by the Commission;
- An "approved code of conduct" or an "approved certification mechanism" with binding and enforceable commitments by the controller or processor in the third country to apply the appropriate safeguards, regarding individuals' rights.
E. Article 49, GDPR – Consent or Necessity
Under Article 49, GDPR, in the absence of an adequacy decision or appropriate safeguards of the type described above, any transfer of personal data outside the EEA can be made only if one of the following conditions is satisfied:
- The individual has explicitly consented to the proposed transfer, after having been duly informed of the possible risks;
- The transfer is necessary for the performance of a contract between the individual and the controller;
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the controller and another natural or legal person;
- The transfer is necessary for important reasons of public interest;
- The transfer is necessary for the establishment, exercise or defense of legal claims;
- The transfer is necessary in order to protect the vital interests of the individual or of other persons (where the individual is incapable of giving consent);
- Under certain conditions, when the transfer is made from a public register.
Obtaining employee consent is very hard to establish. In other cases, it is often possible to rely on the ground in #2 above (performance of a contract), where the arrangement in question is a cross-border transaction.
F. Article 27, GDPR - Representatives of Controllers or Processors Not Established in the EEA
Where a UK entity is subject to the GDPR but is not established in the EEA, that UK controller or processor must generally designate a representative in one of the EEA Member States where the individuals (whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored) are located.
G. Will the Commission Grant an Adequacy Decision to the UK and, If Not, What Must Be Done?
In the absence of a Commission decision by the end of 2020 recognizing the adequacy of the UK data protection regime and, therefore, enabling the transfer of personal data between the EEA and UK, the Commission would then need to assess separately the adequacy of the UK data regime. The Commission's assessment or agreement on another arrangement would be just one element in complex negotiations that are currently subject to a very tight timescale. In addition, adequacy decisions can take a political dimension with uncertain results. By way of example, recent questions regarding the UK's access to the Schengen Information System used for security and border management in the EU could spill over to adequacy under GDPR.
UK entities that receive transfers of personal data subject to the GDPR from EEA Member States will accordingly need to be prepared for the possibility of no overarching agreement or adequacy decision being in place on January 1, 2021. Meantime, UK-based controllers and processors should ensure GDPR compliance with their EEA counterparts regarding transfers of personal data from the EEA to the UK. For many UK entities, the most suitable legal basis for any such transfers would be standard contractual clauses. There is, however, little scope to amend these clauses.
If a group has already adopted binding corporate rules, these could be used to safeguard personal data transfers. If no such rules are already in place, then the group would need to establish these - a lengthy and time-consuming exercise.
H. Transfers from the UK to the EEA
The UK Government has confirmed that it will allow transfers of personal data subject to UK data protection law to be transferred from the UK to the EEA and all other countries deemed adequate by the Commission on the date the UK withdraws from the EU (January 31, 2020).
I. Transfers from the UK to the US
The US Department of Commerce has confirmed that businesses currently relying on the EU-US Privacy Shield to receive personal data from the UK can continue to do so, provided they continue to meet the annual certification requirements and update their relevant policies.
J. UK Representatives
Where an EEA entity is subject to the UK data protection regime, but is not established in the UK, that EEA controller or processor must generally designate a representative in the UK (cf. F above).
K. Privacy Policies
These will require separate review and amendment to reflect the two – UK GDPR and EEA/GDPR - regimes.
L. Conclusion and Action Points
Thanks to agreement on the terms of withdrawal, the threat of a "no-deal Brexit" has receded. In particular, companies and other entities subject to the GDPR enjoy a grace period to December 31, 2020. This period preserves existing business models, but controllers and processors of personal data thereafter face more restrictive rules for international transfers.
Companies and other entities should therefore consider which legal bases they wish to rely on under the GDPR and the UK's regime; by way of example, the Annex summarizes legal bases for international transfers under the GDPR.
In order to address which legal basis, controllers and processors can apply "rules of thumb":
- What data does the controller or processor hold and where?
- Can the controller or processor readily meet a data subject access request?
- What third parties are holding data?
- Is the controller or processor holding data longer than necessary?
- What is the risk of data being "trapped" in the wrong jurisdiction?
Businesses should note that any unlawful transfer of EEA personal data to the UK as a third country could attract fines. The Supervisory Authority of an EEA member state could also compel compliance with the GDPR and might order the suspension of unlawful data flows.
 Post-Brexit, the EU comprises: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden (EU27). The EEA comprises the EU27, plus Iceland, Lichtenstein and Norway.
January 31, 2020