Update of information: On June 28, the European Commission recognized that the UK provides a level of protection for personal data equivalent to that guaranteed within the European Union and therefore adopted an adequacy decision in its favor (with a duration limited to 4 years). From now on, any transfer of personal data to the UK is allowed in compliance with the principles of the GDPR and can be carried out without the need to implement standard contractual clauses or other specific guarantees required for non-EU and non-adequate countries. It is worth noting that a reform on personal data protection is currently under review in the UK. The European Commission has already announced that it will closely monitor this reform and will take any necessary actions if problematic developments arise that could jeopardize the scope and durability of this agreement.

As Brexit came into effect on January 1, 2021, the management of personal data between the United Kingdom and the EU member states (“the Union”) follows a different timeline. Indeed, a transition period was open until December 31, 2020, during which the UK remained part of the Union’s customs territory, the internal market, and Union law continued to apply. During this period, negotiations took place between the parties and led, on December 24, 2020, to the presentation of a cooperation and trade agreement. This agreement now defines the terms of cooperation between the UK and the Union in certain areas, notably the circulation of data. These measures will have an impact in the coming months on commercial and contractual relationships when personal data are part of the scope of the contract.

 

Personal Data: A Transitional Agreement Until July 1, 2021

Under the cooperation and trade agreement signed between the Union and the UK, the European data protection regulation (“GDPR”) will remain applicable, on a transitional basis, to the UK for an additional period of up to 6 months, i.e., until July 1, 2021.

As of then, until July 1, 2021, the transfer of personal data to the UK will continue under the current framework and will not be considered as a transfer of data to a third country, where appropriate safeguards need to be put in place to ensure adequate protection.

Article 44 of the GDPR establishes the principle that the transfer of personal data to a third country is possible provided that a sufficient and appropriate level of data protection is ensured. In the absence of an adequacy decision by the European Commission, these transfers must be governed by various legal tools, such as standard contractual clauses in the contractual documentation, binding corporate rules (“BCR”), codes of conduct, or certification mechanisms.

Thus, at the end of these six months, any transfer of personal data to the UK will be considered a transfer to a third country and will require the implementation of appropriate safeguards unless the European Commission recognizes the UK as a country with an adequate level of protection.

 

Two Scenarios Based on the European Commission's Decision

As of July 1, 2021, two scenarios are possible for personal data transfers to the UK:

  1. The European Commission decides, within the next six months, that the UK is a country with an adequate level of protection.
    In this case, the transfer of personal data can be carried out without specific transfer tools, provided that the GDPR provisions and principles (respecting key principles, establishing a record of processing, implementing subcontracting contracts, etc.) are followed.

  2. The European Commission does not decide, within the next six months, that the UK is a country with an adequate level of protection.
    In this case, any transfer of personal data to the UK will be considered a transfer to a third country and must be governed by transfer tools (European Commission's standard contractual clauses, ad hoc contractual clauses, BCR, codes of conduct, certification mechanisms).

On the other hand, for data transfers from the UK to the Union, the conditions will be set by the UK. The British government had announced that the situation would remain unchanged and that the free movement of data to the EU would be allowed without the need for additional guarantees. However, it will be important to monitor the evolution of UK regulations.

 

Possible Sanctions for Non-Compliance with GDPR

Finally, in the event of non-compliance with GDPR rules, especially those relating to the transfer of personal data to a third country, the restricted formation of the CNIL (French Data Protection Authority) has the power to impose sanctions.

Gradual financial penalties can range up to €20 million or 4% of the global annual turnover of the concerned company. Non-financial sanctions such as a warning, suspension of data flow, temporary or permanent restriction of processing, injunction under penalty, or public disclosure of the decision can also be imposed.

Few sanctions have been imposed so far concerning the transfer of personal data outside the Union by the restricted formation of the CNIL. However, a €500,000 fine and an injunction under penalty were recently imposed on a company installing insulation equipment, notably for transferring data without proper safeguards outside the Union.

 

In conclusion, it is up to each economic actor who has contractual or commercial relationships with the UK to assess the potential impact of Brexit on their activities and contractual documentation in order to take the necessary measures to comply with applicable regulations and limit the risks.

EU/UK Cooperation and Trade Agreement 

Updates regarding Brexit can be found on the website http://www.brexit.gouv.fr

A personalized self-diagnosis tool for businesses affected by Brexit is available at http://www.votrediagnosticbrexit.fr/

Author

Jean-Philippe Isemann
Jean-Philippe Isemann
Associé - Transformation digitale
Antoine Baranger
Antoine Baranger
Directeur Risk Advisory

Read more