The National Commission for Data Protection (“Commission nationale pour la protection des données”, or “CNPD”) recently published a report on the consequences of Brexit in the sphere of international data transfers. This report is intended to guide Luxembourg companies, public bodies and associations that transfer personal data to the United Kingdom and that intend to continue such transfers after March 29th 2019.
In principle, all primary and secondary EU law will cease to apply to the United Kingdom as from March 30th 2019, unless a withdrawal agreement is ratified by then.
On November 14th 2018, the negotiators of the European Commission and the United Kingdom reached political agreement on the entire agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community (the “Withdrawal Agreement”). However, this Withdrawal Agreement still has to be ratified.
The ratification or non-ratification of this Agreement will have significant consequences for international data transfers between the United Kingdom and Luxembourg.
I. If the Withdrawal Agreement is ratified before 29 March 2019
If the Withdrawal Agreement is ratified, European data protection rules will continue to apply in and to the United Kingdom for a transitional period of 21 months, i.e. from March 30th 2019 to December 31st 2020 (unless the transitional period is extended).
After the end of the transitional period, in accordance with the Withdrawal Agreement, the United Kingdom will continue to apply European data protection rules to personal data exchanged between the United Kingdom and the Member States of the European Economic Area before the end of the transitional period, until the European Union has established that the level of protection provided by the United Kingdom regime offers data protection guarantees that are "essentially equivalent" to those provided by the European Union (Article 45 of the General Data Protection Regulation, "GDPR").
II. If the Withdrawal Agreement is not ratified by 29 March 2019
In the event of a “no deal” Brexit, European Union law will cease to apply in and to the United Kingdom from 30 March 2019 (or from a later date in the event of application of Article 50(3) of the Treaty on European Union). The United Kingdom will therefore leave the European Union and be considered a third country within the meaning of the GDPR.
Therefore, as from March 30th 2019, in order to continue to legally transfer personal data to the United Kingdom, the Luxembourg entities concerned will have to comply with the legal provisions of Chapter V of the GDPR, which concerns transfers of personal data to third countries or international organisations.
Thus, transfers of personal data from a Member State of the European Union to the United Kingdom may continue to take place after March 30th 2019:
- if the European Commission has decided that the United Kingdom ensures an adequate level of protection (article 45 of the GDPR), or failing that
- if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (article 46 of the GDPR). These appropriate safeguards may be:
- standard data protection clauses adopted by the Commission or by a supervisory authority and approved by the Commission;
- binding corporate rules;
- an approved code of conduct or certification mechanism;
- a legally binding and enforceable instrument between public authorities or bodies.
- in the absence of an adequacy decision or of appropriate safeguards, transfers of personal data to the United Kingdom shall take place only on one of the following conditions:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
- failing that, lastly, a transfer to the United Kingdom may take place only if the transfer is necessary for the purposes of compelling legitimate interests pursued by the controller, and under certain conditions enounced in article 49 of the GDPR.
As an adequacy decision is not likely to be adopted by the European Commission by the end of March 2019, it is recommended that the entities concerned assess the "appropriate guarantees" referred to in Article 46 of the GDPR in order to determine which one would be most appropriate for their situation and ensure that it is in place before 30 March 2019.
All the rules set out above are in addition to those obligations ordinarily applicable to controllers and which are provided for in the GDPR (compliance with the principle of lawfulness in particular, compatibility of the communication with the original processing operation, information to data subjects, etc.).