The European Commission may decide that the personal data protection regime of the United Kingdom provides data protection safeguards which are "essentially equivalent" to those in the European Union, by way of a formal decision, a so-called “adequacy decision”, pursuant to Article 45 of the General Data Protection Regulation.
As underlined in its Political Declaration, the European Commission will use its best endeavours to conclude the assessment of the UK regime by the end of 2020 with a view to possibly adopting a decision if the United Kingdom meets the applicable conditions. The European Commission is currently conducting this assessment and has held a number of technical meetings with the United Kingdom to gather information in order to inform the process.
The steps that companies, public bodies and Luxembourg associations must take in order to continue to transfer personal data to the United Kingdom after 31 December 2020 will depend on whether or not the European Commission adopts an adequacy decision.
In any event, they should take the necessary steps to ensure the compliance of any personal data transfers to the United Kingdom with Union data protection law, irrespective of the scenario whereby an EU adequacy decision will be taken with regard to the United Kingdom. Compliance can be achieved by having appropriate safeguards in place as foreseen by the General Data Protection Regulation, as described in section 2.2 below.
- Notice to stakeholders – withdrawal of the United Kingdom and EU rules in the field of data protection
- Political declaration setting out the framework for the future relationship between the European Union and the United Kingdom
If the European Commission adopts an adequacy decision for the United Kingdom, this decision will allow personal data to flow freely between the United Kingdom and the European Economic Area. However, as stated by the European Commission, it is not certain whether such an agreement will be concluded and will enter into force at the end of the transition period.
In any case, these entities must continue to comply with the general principles of the General Data Protection Regulation and shall apply them when transferring personal data to the United Kingdom (e.g. the principle of lawfulness, the compatibility of the communication with the initial processing activity, information to the data subjects).
- Guidance on international data transfers, “Transfers towards a country outside the European Economic Area with an adequate level of protection”
In the absence of an adequacy decision by the European Commission, and as of 1 January 2021, the rules for transfers of personal data to third countries set out in Chapter V of the General Data Protection Regulation will apply to the transfers of personal data from a Member State of the European Union to the United Kingdom.
In order to continue to transfer personal data to the United Kingdom lawfully, the Luxembourg entities in question shall comply, as of 1 January 2021, with such provisions.
Luxembourg entities may rely on ‘appropriate guarantees’ as referred to in Article 46 of the General Data Protection Regulation in order to ensure a sufficient and appropriate level of protection for personal data transferred from Luxembourg to the United Kingdom, in the absence of or pending the adoption of a formal adequacy decision by the European Commission pursuant to Article 45 of the General Data Protection Regulation. The ‘appropriate guarantees’ may be:
- contractual clauses (standard data protection clauses adopted by the European Commission or ‘ad hoc’ contractual clauses), or
- binding corporate rules (BCRs), or
- codes of conduct or certification mechanisms, or
- legally binding and enforceable instruments between public authorities or bodies.
The use of such ‘appropriate guarantees’ shall be made in accordance with the ‘Schrems II’ judgement of the Court of Justice of the European Union. The European Data Protection Board (EDPB) recently published a document aiming at presenting answers to some frequently asked questions (“FAQ”) received by supervisory authorities about this judgement.
The EDPB also published an information note on BCRs for the specific cases of groups of undertakings or enterprises which have the Information Commissioner’s Office (British Supervisory Authority) as BCR Lead Supervisory Authority.
The transfer may also be covered by one of the “exceptions” as set out in Article 49 of the General Data Protection Regulation. However, controllers should aim to implement appropriate safeguards and should only rely on the exceptions in the absence of appropriate safeguards. Indeed, Article 49 of the General Data Protection Regulation is subject to a strict interpretation by the data protection authorities to prevent the exceptions from becoming the rule.
In the absence of appropriate guarantees or where one of the exceptions cannot be used, the transfer of personal data to the United Kingdom will therefore be prohibited.
Since it is uncertain whether the European Commission will have adopted an adequacy decision by the end of December 2020, the CNPD recommends that the entities concerned should determine which of the ‘appropriate guarantees’ as referred to in Article 46 is best suited for their organisation and should ensure that the appropriate guarantees are in place by 31 December 2020.
- Chapter V of the General Data Protection Regulation
- Standard data protection clauses, on the website of the European Commission
- Guidance on international data transfers, “Transfers outside the European Economic Area with no adequate protection”
- CNPD statement following invalidation of “Privacy Shield”
- EDPB, Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems
- EDPB, Information note on BCRs for Groups of undertakings / enterprises which have ICO as BCR Lead SA