Prof. Hedley Christ – Univerity of Brighton
On the 31st January 2020 the United Kingdom (UK) left the European Union (EU). However, for the remaining part of 2020 the UK was, in effect, still a Member State, albeit in reduced capacity, until the transition period for exiting from the EU had been completed by 31st December 2020. This transition period was to be occupied by the negotiation process; that is, the UK was to agree, with the EU, the means of disentanglement from the EU and determine its future relationship with the EU. Part of this negotiation was to include the nature of digital services and, in particular, cross-border data flows of information. The treaty settlement however does not include digital services or how data transfer can occur between the UK and the EU now that the UK is a third country. The UK’s withdrawal agreement makes no explicit provisions for the UK’s continued participation with the European Data Protection Board.
Within Section 2 Withdrawal Act 2018 the UK retains EU Law until repealed. However, EU Law is no longer part of the laws of the United Kingdom. This means that although the GDPR is still relevant, the UK is considered a third country as far as cross-border data flow is concerned. This means that data flow can no longer be automatic and, therefore, other means, provided by the GDPR or International Law, must now be considered. The most likely mechanism for the lawful transfer of data will be the Standard Contractual Clauses which may be approved by a competent Supervisory Authority. However, these will need to comply with the GDPR.
Beyond the Standard Contractual Clauses is the possibility that The Commission could provide an Adequacy Decision for the UK. However, there seems, as yet, no real possibility of this occurring in the near future. Data Controllers, therefore, will have to find other means of securing lawful data transfer. One such approach may be the use of Binding Corporate Rules (BCRs), pursuant to Articles 46(2) and 47 GDPR, which are legally binding internal rules adopted by multinational groups of undertakings. BCRs allow data transfer to entities located in third countries irrespective of whether the country can provide for adequate levels of data protection. Beyond these are Codes of Conduct pursuant to Articles 40, 41, 42, & 43 GDPR. These Codes of Conduct have to be approved and enforceable.
These, and other mechanisms will need to be sought by the UK in order for lawful data transfer.