On July 9, 2020, the European Commission (the “Commission”) adopted a Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled: “Getting ready for changes – Communication on readiness at the end of the transition period between the European Union and the United Kingdom” (the “Communication”).
The Communication aims to help national authorities, businesses and citizens prepare for the end of the Brexit transition period on December 31, 2020, including with respect to cross-border exchanges of personal data between the EU and the UK. In order to avoid prejudicing the ongoing Brexit negotiations, the Communication refers only to sectoral changes that will come into effect as a result of the UK leaving the EU Single Market and the Customs Union, as well as all Union international agreements, regardless of the outcome of negotiations. The Communication does not discuss the potential consequences that failure to reach an agreement would have on a future partnership.
In a press release, the Commission’s Chief Negotiator, Michel Barnier, said: “Public administrations, businesses, citizens and stakeholders will be affected by the UK’s decision to leave the EU. Following the UK Government’s decision not to extend the transition period, we now know that these changes will take place on 1 January 2021 – deal or no deal. We are helping them to prepare as best as they can.”
The UK remains bound by EU data protection law, such as the EU General Data Protection Regulation (the “GDPR”), during the transition period. However, as of January 1, 2021, the UK will become a third country under the GDPR, and as such, will require an EU adequacy decision in order to receive personal data transferred by EU entities without restrictions. Regarding adequacy, the Communication states that the EU will endeavor to conclude the assessment of the UK regime by the end of 2020, with a view to “possibly adopting a decision if the United Kingdom meets the applicable conditions.” The Communication adds that it has already held a number of technical meetings with the UK for these purposes. If an adequacy decision is not provided, EU entities transferring personal data to the UK will need to implement a GDPR-compliant transfer mechanism, such as model clauses or binding corporate rules. The Communication recommends that businesses and administrations in the EU take steps to put these measures in place now, irrespective of whether an adequacy decision is taken in favor of the UK. From the UK perspective, adequacy has been conferred on EU Member States until the end of 2024, and as such, transfers of personal data from the UK to the EU may continue until that point.
The Communication recommends that stakeholders consult the readiness notices published since March 16, 2020, including the readiness notice on data protection published on July 6, 2020. This provides an overview of the various data transfer mechanisms that may be implemented, or the derogations from the restriction on international data transfers that may be relied on.