The National Commission for Data Protection (“Commission nationale pour la protection des données”, or CNPD) recently published a report on the consequences of the UK leaving the EU (“Brexit”) in the sphere of international data transfers. This report is intended to guide Luxembourg companies, public bodies and associations that transfer personal data to the United Kingdom and that intend to continue such transfers after Brexit.
In principle, all primary and secondary EU law will cease to apply to the United Kingdom as from date of Brexit, unless a withdrawal agreement is ratified.
On 14 November 2018, the negotiators of the European Commission and the United Kingdom reached political agreement on the entire agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (the Withdrawal Agreement). However, this Withdrawal Agreement still has to be ratified.
The ratification or non-ratification of this Agreement will have significant consequences for international data transfers between the United Kingdom and Luxembourg.
I. If the Withdrawal Agreement is ratified
If the Withdrawal Agreement is ratified, European data protection rules will continue to apply in and to the United Kingdom for a transitional period, i.e. from date of Brexit to December 31st 2020 (unless the transitional period is extended).
After the end of the transitional period, in accordance with the Withdrawal Agreement, the United Kingdom will continue to apply European data protection rules to personal data exchanged between the United Kingdom and the Member States of the European Economic Area before the end of the transitional period, until the European Union has established that the level of protection provided by the United Kingdom regime offers data protection guarantees that are "essentially equivalent" to those provided by the European Union (Article 45 of the General Data Protection Regulation, "GDPR").
II. If the Withdrawal Agreement is not ratified<
In the event of a “no deal”, European Union law will cease to apply in and to the United Kingdom from Brexit date. The United Kingdom will therefore leave the European Union and be considered a third country within the meaning of the GDPR.
Therefore, as from Brexit date, in order to continue to legally transfer personal data to the United Kingdom, the Luxembourg entities concerned will have to comply with the legal provisions of Chapter V of the GDPR, which concerns transfers of personal data to third countries or international organisations.
Thus, transfers of personal data from a Member State of the European Union to the United Kingdom may continue to take place after date of Brexit:
- if the European Commission has decided that the United Kingdom ensures an adequate level of protection (article 45 of the GDPR), or failing that
- if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (article 46 of the GDPR). These appropriate safeguards may be:
- standard data protection clauses adopted by the Commission or by a supervisory authority and approved by the Commission;
- binding corporate rules;
- an approved code of conduct or certification mechanism;
- a legally binding and enforceable instrument between public authorities or bodies.
- in the absence of an adequacy decision or of appropriate safeguards, transfers of personal data to the United Kingdom shall take place only on one of the following conditions:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
- failing that, finally, a transfer to the United Kingdom may take place only if the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller, and under certain conditions enounced in article 49 of the GDPR.
All the rules set out above are to be added to the obligations normally applicable to controllers as set out in the GDPR (compliance with the principle of lawfulness in particular, compatibility of the communication with the original processing operation, information to data subjects, etc.).