In the event of a “no deal” Brexit, the United Kingdom will leave the European Union as of 1 February 2020 and will become a third country within the meaning of the General Data Protection Regulation.
Therefore, as of 1 February 2020, the rules for transfers of personal data to third countries set out in Chapter V of the General Data Protection Regulation will apply to the transfers of personal data from a Member State of the European Union to the United Kingdom.
In order to continue to transfer personal data to the United Kingdom lawfully, the Luxembourg entities in question shall comply, as of 1 February 2020, with the provisions of Chapter V of the General Data Protection Regulation.
In the absence of or pending the adoption of a formal adequacy decision by the European Commission pursuant to Article 45 of the General Data Protection Regulation, Luxembourg entities may rely on ‘appropriate guarantees’ as referred to in Article 46 of the General Data Protection Regulation in order to ensure a sufficient and appropriate level of protection for personal data transferred from Luxembourg to the United Kingdom. The ‘appropriate guarantees’ may be:
- contractual clauses (standard data protection clauses adopted by the European Commission or ‘ad hoc’ contractual clauses), or
- binding corporate rules (BCRs), or
- codes of conduct or certification mechanisms, or
- legally binding and enforceable instruments between public authorities or bodies.
Lastly, the transfer may be covered by one of the “exceptions” as set out in Article 49 of the General Data Protection Regulation. However, controllers should aim to implement appropriate safeguards and should only rely on the exceptions in the absence of appropriate safeguards. Indeed, Article 49 of the General Data Protection Regulation is subject to a strict interpretation by the data protection authorities to prevent the exceptions from becoming the rule.
In the absence of appropriate guarantees or where one of the exceptions cannot be used, the transfer of personal data to the United Kingdom will therefore be prohibited.
2.2. The next steps to take by Luxembourg entities transferring data to the United Kingdom in the case of a “no deal” Brexit
Companies, public bodies and Luxembourg associations, which will continue to transfer personal data to the United Kingdom after 31 January 2020, shall ensure that such transfers are covered by one of the legal mechanisms as provided for by Chapter V of the General Data Protection Regulation.
Since it is uncertain that the European Commission will have adopted an adequacy decision by the end of January 2020, the CNPD recommends that the entities concerned should determine which of the ‘appropriate guarantees’ as referred to in Article 46 is best suited for their organisation and should ensure that the appropriate guarantees are in place by 31 January 2020.
Among these appropriate guarantees, the most commonly used and the one that could be put in place quickly, is the conclusion of standard data protection clauses between the Luxembourg entity in question and the UK data importer. The European Commission has adopted three models of standard data protection clauses that are available on its website.