The effects of Brexit on data protection law
When the transition period ends on 31st December 2020, the UK will be a third country under the General Data Protection Regulation (GDPR), meaning that data transfers to the UK will be generally prohibited.
From this time, data controllers resident in the EU must ensure on a case-by-case basis that the level of data protection is sufficient for data transfer to the UK.
Personal data may be transferred to a third country if the EU Commission has decided that the third country in question offers an adequate level of protection. If such an adequacy decision has been taken, the data transfer may take place without any additional authorisation.
The EU Commission plans to launch an adequacy assessment immediately after the UK's withdrawal. A positive adequacy decision by the EU Commission would significantly facilitate the exchange of data between the EU Member States and the UK after the transition period.
If such an adequacy decision has not been reached in time, EU standard data protection clauses are of great practical importance in this context. These are model contracts between data importer and data exporter which are specified by the EU Commission and which require the body based in the third country to maintain an adequate level of data protection.
The European Commission may decide that standard contractual clauses provide sufficient data protection guarantees for the data to be transferred internationally. It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers based outside the EU or European Economic Area (EEA). It has also issued a set of contractual clauses for data transfers from controllers in the EU to processors based outside the EU or EEA.
However, since the Schrems II ruling of the Court of Justice of the European Union, transferring personal data by means of standard contractual clauses requires the data exporter to assess whether an adequate level of data protection is guaranteed in the recipient country for the data concerned by the transfer. It is not the general level of data protection in the recipient country that must be assessed, but the specific level of protection for the transferred data.
The new drafts of the European Data Protection Authority (EDPA) are also currently under discussion.
Binding Corporate Rules ("BCR") are also suitable for data exchange in multinational group companies.
BCR are data protection policies that companies based in the EU comply with when transferring personal data outside the EU within a group of undertakings or enterprises. These rules must include all general data protection principles and enforceable rights to ensure adequate guarantees for data transfer. They must be legally binding and enforced by every member of the group concerned.
In contrast to the EU standard data protection clauses, however, the BCR require approval by the competent supervisory authority.
This article was originally written at the beginning of December.