As of 1 January 2021, the United Kingdom has definitively left the European Union: the so-called "Brexit" process has been completed. What are the consequences in terms of data protection?
With regard to data flows to the United Kingdom, which has thus become a third country, reference must be made to the Trade and Cooperation Agreement entered into on 30 December 2020 between the United Kingdom and the European Union. This agreement provides, inter alia, that the UK will continue to apply the European General Data Protection Regulation for a further period of up to 6 months (i.e. until 30 June 2021). Accordingly, during this period, any communication of personal data to the UK will be able to take place under the same rules that applied as of 31 December 2020 and will not be considered a transfer of data to a third country.
In the meantime, the European Commission and the UK Government have undertaken, also under the Agreement, to work on mutual adequacy decisions that would allow data flows to continue uninterrupted, even after the transitional period mentioned above. If this is not the case, all the provisions of Chapter V of the GDPR will apply, requiring the existence of adequate safeguards (standard contractual clauses, binding corporate rules, administrative agreements, certifications, codes of conduct) to transfer data from the EU (more precisely from the EEA, the European Economic Area) to a third country that is not adequate, or admitting some exceptions in the absence of adequate safeguards (explicit consent of the data subject, public interest of an EEA Member State, etc.), but only on a residual basis and according to a very restrictive approach.
As regards any cross-border data protection disputes or complaints with data controllers or processors established in the UK, from 1 January 2021, the one-stop shop mechanism governing such disputes between EEA countries will no longer apply to the UK as a third country. Essentially, UK-based businesses will no longer be able to benefit from dealing with a single "lead" Supervisory Authority (i.e., the Authority responsible for the main or sole establishment in the EEA) for the various obligations under the European General Data Protection Regulation. In order to continue enjoying the benefits of the one-stop shop, they would have to locate a new main establishment in an EEA Member State.
In any case, from 1 January 2021, UK-based controllers and processors who are subject to the application of the GDPR pursuant to Article 3(2) are required to designate a "representative" in the EEA pursuant to Article 27 of the GDPR. This representative may be contacted by Supervisory Authorities and data subjects on any matter relating to processing activities in order to ensure compliance with the GDPR. Data subjects located in Italy – and whose data is processed for the purpose of offering goods and services or monitoring their behaviour by data controllers established in the UK – may still contact the Italian Data Protection Authority to protect their rights.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.