03 January 2021

The effects of Brexit on data protection law

When the transition period ends on 31st December 2020, the UK will be a third country under the General Data Protection Regulation (GDPR), meaning that data transfers to the UK will be generally prohibited. 

From this time, data controllers resident in the EU must ensure on a case-by-case basis that the level of data protection is sufficient for data transfer to the UK.

Adequacy decision

Personal data may be transferred to a third country if the EU Commission has decided that the third country in question offers an adequate level of protection. If such an adequacy decision has been taken, the data transfer may take place without any additional authorisation

The EU Commission plans to launch an adequacy assessment immediately after the UK's withdrawal. A positive adequacy decision by the EU Commission would significantly facilitate the exchange of data between the EU Member States and the UK after the transition period.

EU Standard Contractual Clauses

If such an adequacy decision has not been reached in time, EU standard data protection clauses are of great practical importance in this context. These are model contracts between data importer and data exporter which are specified by the EU Commission and which require the body based in the third country to maintain an adequate level of data protection.

The European Commission may decide that standard contractual clauses provide sufficient data protection guarantees for the data to be transferred internationally. It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers based outside the EU or European Economic Area (EEA). It has also issued a set of contractual clauses for data transfers from controllers in the EU to processors based outside the EU or EEA.

However, since the Schrems II ruling of the Court of Justice of the European Union, transferring personal data by means of standard contractual clauses requires the data exporter to assess whether an adequate level of data protection is guaranteed in the recipient country for the data concerned by the transfer. It is not the general level of data protection in the recipient country that must be assessed, but the specific level of protection for the transferred data.

The new drafts of the European Data Protection Authority (EDPA) are also currently under discussion.

Binding Corporate Rules

Binding Corporate Rules ("BCR") are also suitable for data exchange in multinational group companies. 

BCR are data protection policies that companies based in the EU comply with when transferring personal data outside the EU within a group of undertakings or enterprises. These rules must include all general data protection principles and enforceable rights to ensure adequate guarantees for data transfer. They must be legally binding and enforced by every member of the group concerned.

In contrast to the EU standard data protection clauses, however, the BCR require approval by the competent supervisory authority.

This article was originally written at the beginning of December. 

Copyright © The Impact Lawyers. All rights reserved. This information or any part of it may not be copied or disseminated in any way or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of The Impact Lawyers. The opinions expressed in this article are those of the authors and do not necessarily reflect the positions or policies of The Impact Lawyers.

Would you like to read more?

The Impact Lawyers offers a FREE newsletter that keeps you up to date on news and analysis about the international latest legal news.
Please complete the form below and click on subscribe to receive The Impact Lawyers Newsletter subscription


The Impact Lawyers Newsletter

  • Practical templates and guides for lawyers and law firms
  • Podcasts, videos and webinars explaining how to be sucessful
  • Tips made by lawyers and other practitioners