On 6th July 2020, the European Commission published a notice to stakeholders regarding the transfer of personal data from the EU to the UK after the end of the transition period, i.e. 31 December 2020. Until 31 December 2020, the EU law is applicable to the UK.
Data protection law in the UK before 31 December 2020
All UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018. Both of this two laws continue to apply until the end of the transition period.
What happens after 31 December 2020?
After 31 December 2020, any transfer of personal data from the EU to the UK will need to comply with the requirements applicable to transfers of personal data from the EU to third countries. The exceptions to this rule are the ones provided by article 71 (1) of the Withdrawal Agreement (the “Withdrawal Agreement”) concluded between the EU and the UK regarding the terms of withdrawal of the UK from the EU.
- “were processed under the EU law in the UK before the end of the transition period or;
- are processed in the UK after the end of the transition period on the basis of the Withdrawal Agreement”.
Under the provisions of Chapter V of the European General Data Protection Regulation (“GDPR”), the transfer of personal data from the EEA countries to non-EEA countries may be performed if certain safeguards are applied, such as:
- Standard data protection clauses;
- Binding corporate rules;
- Codes of conduct and certification;
The personal data of the subjects located outside the UK may be processed in the UK after 31 December 2020, if:
- is transmitted to the UK or otherwise processed in the UK before 31 December 2020; or
- is transmitted to the UK or otherwise processed in the UK after 31 December 2020 on the basis of the Withdrawal Agreement.
The Data Protection Act 2018 enacts the EU GDPR’s requirements in UK law. The UK Government has issued a statutory instrument – the Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 – which amends the Data Protection Act 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit – this will be known as UK GDPR.
The EU GDPR and the proposed UK GDPR are not very different, so the organisations that process personal data should continue to comply with the requirement of the EU GDPR. The EU GDPR’s requirements as implemented by Parts 3 and 4 of the Data Protection Act 2018 will continue to apply for law enforcement and intelligence purpose.
Corporate rules and standard contractual clauses that will be binding
If the EU and UK do not reach an adequacy decision by 31 December 2020, organisations in the UK that process EU residents’ personal data will have to rely on other safeguards. After UK leaves the EU, the Information Commissioner’s Office will no longer be a supervisory authority under the EU GDPR, and will not be able to approve transfers of personal data from the EEA to the UK.
What non-compliance penalties will be applied after 31 December 2020?
UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements.
The infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover – whichever is greater. Organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached.