Besides the general requirements for the lawfulness of data processing, specific conditions in terms of data transfer with third countries have to be observed.
The trade and cooperation agreement with the UK, which was concluded practically at the last minute, once again provides for an extension of the status quo. Regarding data transfers, it prolongs the prior Brexit withdrawal agreement for an additional four to six months.
From 1 January 2021, data transfers from and to the UK will continue not to be considered as third country transfers within the meaning of the GDPR for a further transitional period of four months, i.e. until 30 April 2021 (provided that the legal data protection situation in the UK applicable on 31 December 2020 remains unchanged). Data transfers to the UK can therefore take place as before during this period without having to comply with any additional requirements. This transitional phase may be extended once for a further two months if none of the parties objects.
The agreement also provides for the adoption of an adequacy decision by the Commission pursuant to Art. 45 GDPR for the UK during this transitional phase. This was already included in the prior Brexit withdrawal agreement. Talks and efforts in order to achieve an adequacy decision have been ongoing since March 2020, but so far there has been no result. If an adequacy decision is adopted before the expiry of the new transitional period, data transfers will be treated as transfers to a third country within the meaning of the GDPR. At the same time, the adequacy decision will create a basis for lawful data transfers to the UK, as is provided in Chapter V of the GDPR.
However, even in case of a timely adequacy decision, additional requirements must be observed. Companies that transfer data to the UK must, for example, refer to such third-country transfers in their data protection declarations. They must also explicitly inform about such transfers when data subjects assert their right to information pursuant to Art. 15 GDPR.
Of course, this applies just as well if the transitional phase ends without an adequacy decision. Additional safeguards must then be in place, such as standard data protection clauses (SCC) or approved binding corporate rules. In certain cases, exceptions from the requirement of an adequacy decision or appropriate safeguards may apply; however, due to their nature as exceptions, these should be used cautiously. Data exporters should carefully consider if they should rely on such exceptions for their daily business.
In summary, the transfers to UK will become third country transfers within the meaning of the GDPR by the end of 30 June 2020 at the latest, and Art. 44 ff. GDPR will apply. In any case, this will require affected companies to consider the legal implications, both in the event of an adequacy decision and without such a decision. However, an adequacy decision would certainly make things easier.
In addition, data exporters may have to observe the UK data protection law (Data Protection Act – “DPA 2018”), which is modelled after the GDPR. International data processing may be subject to both the GDPR and the DPA 2018, burdening data exporters with more potential issue to consider.
Transfers on the basis of an adequacy decision - Article 45 of the GDPR
The transfer of personal data to a third country is possible according to Art. 45 GDPR if the European Commission has determined by means of an adequacy decision that the third country offers an adequate level of protection.
The Trade and Cooperation Agreement with UK provides in Part 7 Art. FINPROV.10A that such a decision shall be reached during the transitional phase starting 1 January 2021. Such a decision would end this transition phase.
- The EU (Withdrawal) Act 2018 largely retains the GDPR in UK law. UK has passed the DPA 2018.
- The powers held by the secret service in the UK raise doubts as to whether the UK’s data protection level can be compared with the one in place in the European Union, for the applicable legislative provisions of a country with respect to its national security have to be taken into account when examining the protection level.
- In this context, the ECJ recently ruled that the blanket and comprehensive data processing powers of British secret services were inadmissible (judgment of 6 October 2020, C-623/17), which may lead to further delays for the adequacy decision.
- A publicly accessible decision on a third country provides legal certainty
- A data transfer based on an adequacy decision does not require any further approval
- An adequacy decision requires a complex and time-consuming Committee procedure on the part of the European Commission.
- Such Committee procedure takes one to two years, according to the Commission.
- Since efforts and discussions on a corresponding adequacy decision for the UK have been ongoing since March 2020, a decision by the Commission in spring 2021 and, thus, within the transitional periods provided for in the agreement, is in principle possible and realistic
Appropriate safeguards - Article 46 of the GDPR
In the absence of a decision, a data transfer to a third country pursuant to Article 46 of the GDPR may take place if appropriate safeguards have been provided for the protection of personal data; these include in particular
- Binding corporate rules in accordance with Article 47 of the GDPR
- Approved contractual clauses pursuant to Article 46 (3) lit. a) of the GDPR
- Approved code of conduct to properly apply the GDPR
- Certified commitments pursuant to Article 42 of the GDPR
Standard data protection clauses – article 46 (2) lit. c) of the GDPR
The European Commission may specify SCC, on whose basis a data transfer may take place.
- This may directly be agreed with the contractual parties
- No need to obtain a new approval by the supervisory authorities
- CC may only be used for a transfer between the controller and the controller and for a transfer be tween the controller and the processor; however, the currently as a draft available SCC 2021 also envisage the transfer of data from processor to processor, so that this constellation is likely to be covered in the future as well.
- In the case of a transfer to a dependent establishment in the UK, a contract may not be concluded as the establishment does not constitute an independent legal subject.
- With the Schrems II decision, ECJ clarified that SCC are no automatism for adequate data protection standards in all cases.
- Data exporter and importer remain responsible for the actual standard of protection and implementation/compliance with SCC in third states; in this respect, the recommendations issued by the European Data Protection Board on the implementation of the ECJ ruling on Schrems II must be carefully observed.
Further appropriate safeguards – article 46 of the GDPR
Other safeguards mentioned in Article 46 of the GDPR are, for instance, contractual clauses between the person transferring data and the recipient of the data transfer; these, however, require authorisation from the competent supervisory authority.
Appointment of a data protection representative
Who must appoint a representative under British law?
According to Article 27 UK-GDPR, all companies (B2C or B2B) without an establishment in the UK, which offer goods or services on the ground or observe the behavior of persons. The mere offering of a website aimed at UK citizens may trigger the obligation to install a representative. Use cases:
- Tracking of UK citizens, for example by means of cookies or device fingerprints
- UK-focused search engine advertising
- Possibility to order goods or services in UK British pound as means of payment
- Implementation of clinical studies or market research
Duties and role of the representative
The representative is the local point of contact for citizens and the British Information Commissioner's Office (ICO), the UK's data protection watchdog. Letters from the authorities can be served with legal effect for the company. The representative must:
- be established in the UK
- be named in writing
- keep a processing register (Article 30 UK GDPR) of the company
- have power of representation.
- Under the new agreement, data transfers to/from the UK are provisionally not to be treated as transfers to a third country in terms of data protection law. In a first statement, the German Data Protection Conference (Datenschutzkonferenz, DSK) explicitly advises companies that for the period specified by the agreement, thus until 30 June 2021 at the most, data transfers to the UK can take place without additional requirements. However, this situation will end as soon as an adequacy decision is reached or the specified transition period expires. Consequently, companies should already align their data protection concepts to the fact that data transfers to the UK will be treated as third country transfers within the meaning of the GDPR in the near future. To the extent that the data subject’s consent is required for the data transfer, the consent must include the data transfer to the UK and the data subject must be informed on the risks involved therein.
- The fact that personal data are transferred to a third country must also be made available in the Privacy Policies (information of the data subject pursuant to Articles 13, 14 of the GDPR).
- Should the data subject assert his or her right of access pursuant to Article 15 of the GDPR, the information must include the transfer of personal data to a third country.
- The records of processing activities (which is to be maintained pursuant to Article 30 of the GDPR) must include data transfer to third countries.
- Data transfer to third countries must be observed when carrying out a data protection impact assessment pursuant to Article 35 of the GDPR.
- If necessary, appoint a data protection representative for UK.
- Even though we expect an adequacy decision before 30 June 2021, companies should also be prepared for the possibility of failing negotiations or for the case that an issued decision by the Commission might be challenged retrospectively and reviewed accordingly by the ECJ..
In the absence of an adequacy decision data transfers would have to be based on other safeguards, such as SCC. However, it will no longer be possible to use the SCC by way of "copy/paste", as it has been common practice so far. Instead, the current SCC will have to be drafted and negotiated for each individual case in accordance with the recommendations of the European Data Protection Board on Schrems II; alternatively, the revised SCC that are available in draft form and planned for Q1 2021 may be helpful, as these already take into account the special features of Schrems II and, thus, demonstrate a significantly higher level of complexity. It can be observed that in case of failure of an adequacy decision, the difficulties of data transfers to the UK are comparable to the current challenges of data transfers to the USA.
- With respect to “unlawful” data transfers, i.e., if the principles and, in particular, the general principles for transfers pursuant to Article 44 of the GDPR are not complied with, any infringements may be imposed with administrative fines pursuant to Article 83 of the GDPR; the authorities generally do not have much discretionary leeway as far as the imposition of administrative fines is concerned.