Since January 1, 2021, the UK has finally left the EU with the consequence that European law - and thus in principle also the General Data Protection Regulation (GDPR) - will no longer apply to the UK. However, Brexit will have no direct impact on the permissibility of data flows between the EU and the UK - at least for the time being.
It is true that the UK has become an "unsafe third country" under data protection law with the end of the transitional phase on December 31, 2020, i.e. data transfers from the EU to the UK must in principle meet the requirements of Article 44 et seq. GDPR. However, the EU-UK Trade and Cooperation Agreement ("TCA") provides for an interim solution in Art. FIN- PROV.10A, according to which such data transfers shall not be considered as transfers to a third country. Thus, during the validity of the transitional provisions until June 30, 2021 at the latest, the uniform level of data protection originally provided for by the GDPR will remain in place. The transitional mechanism allows European companies to continue to transfer personal data to the UK without concluding special safeguards, in particular the European Commission's standard contractual clauses, both within the group and in relation to service providers or business partners. The question of how to proceed after the six-month transitional period from the TCA applies depends largely on whether the European Commission issues an adequacy decision for the UK during this period. If this succeeds, an "adequate level of data protection" would be established in the UK even after the TCA and the current interim solution have come into force (as is also the case, for example, for Switzerland or Japan), and corresponding data transfers would be permitted without further measures on the part of the data exporters and importers. According to a statement by the UK's Information Commissioner's Office, the UK is currently seeking such an adequacy decision from the European Commission. There is much to suggest that such a decision could be issued within the relatively short transition period, as the actual situation with regard to the level of data protection in the UK is unlikely to have changed since the GDPR ceased to apply there.
However, whether such an adequacy decision will hold up in the European courts is another matter: In its judgment of October 6, 2020 (Case C-623/17 - Privacy International), the ECJ found that the obligation under UK law to retain traffic and location data without prior notice was a violation of EU fundamental rights, which, prima facie, calls into question an "adequate level of data protection". Against this background, it cannot be ruled out that the pragmatic interim solution in the TCA will turn into legal uncertainty after all.
Irrespective of the question of the permissibility of data transfers to the UK, companies that offer their goods or services in the UK and do not have a branch there must appoint a so-called EU representative pursuant to Article 27 GDPR.
So far, Brexit has not led to any far-reaching changes in the area of data protection law: European companies can continue to transfer personal data to the UK during a transition period without concluding special safeguards. Even after the transition period in the TCA until June 30, 2021, it is expected that the EU Commission will adopt an adequacy decision for the UK, so that data exchange should continue to be possible without problems in the future.
Originally Published 25 March 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.