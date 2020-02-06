The French data protection authority (‘CNIL’) published, on 31 January 2020, a statement on the impact of Brexit on data protection which addresses, among other things, the transitional period, international data transfers, and adequacy.

The Brexit transitional period

In particular, CNIL highlighted that for the duration of the transitional period which ends on 31 December 2020, as stipulated in the European Union (Withdrawal) Act 2018 (‘the Withdrawal Agreement’), the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) will continue to apply in the UK.

Sonia Cissé and Jean Fau, Counsel and Associate, respectively, at Linklaters LLP, told OneTrust DataGuidance, “After the transition period, it is expected that the UK will be incorporating the GDPR into its national law as the ‘UK GDPR,’ with only minimal variations from the former. As such, the general data protection laws will remain largely the same during the transition period, but also after it. Thus, besides the matter of data transfers (in particular from Europe to the UK), there is no major obstacle to be foreseen for companies, both short and long term.”

In terms of practical steps that can be taken before the end of 2020, Stephanie Faber, Head of Data Privacy & Cybersecurity Practice and Intellectual Property & Technology Practice at Squire Patton Boggs, Paris, suggests that, “French companies will need to plan in advance for an alternative solution, even if it is temporary […] Based on experience, preparing and signing Standard Contractual Clauses (‘SCCs’) always takes more time than expected. Time will also be required to adapt existing Binding Corporate Rules (‘BCRs’). Finally, companies will have to update their records of processing activities (Article 30 of the GDPR).”

Impact on data transfers and the relationship between controllers and processors

In particular, CNIL states that Brexit does not mean that companies will need to rely on the guarantees applicable to the transfer of data from the EU to third countries. In addition, CNIL outlines that data transfer conditions following the end of the transition period may change.

Fau and Cissé clarified, “The UK will become a third country after the transition period, and, even though it is pretty certain to eventually obtain an adequacy decision (as a former EU country, incorporating the GDPR), the timing of it is not clear. From a practical point of view, this should not be an issue, as most companies use the SCCs approved by the European Commission (‘the Commission’) for transfers outside of the EU. The use of such mechanisms should not encounter major pushback between EU controllers and UK processors, as UK companies will continue to have a GDPR-like level of data compliance, both during the transition period but also after.”

Faber noted that, “The question is whether the UK will and can accept the EU SCCs to this effect, and, if not, which alternative instrument will be implemented. Possibly, this may require a new set of SCCs specifically for transfers between the EU and UK.”

Regarding the relationship between controllers and processors, Faber continued, “Many companies are a long way from having signed all the required agreements. Possibly having to sign the SCCs will resolve some of the negotiation issues where these overlap with the terms and conditions of these SCCs, as it is not permitted to amend SCCs. One of the remaining issues is that, currently, there are no SCCs for data flows from an EU processor to a non-EU recipient (whether a sub-processor or a controller).”

What a future adequacy agreement could look like

Finally, CNIL indicated that, beyond the transitional period, transfers of personal data to the UK should be covered by mechanisms of the GDPR, at least until the Commission issues a decision recognising that the UK offers an adequate level of protection. Further to the same, Cissé and Fau reassured that, “Since the UK will be adopting a GDPR-like legislation, it is likely that an adequacy decision would not be subject to an ad-hoc mechanism (like the Privacy Shield in the USA). The process of reaching an adequacy decision is, however, likely to take some time (it has historically taken around at least 18 months). It is also probable that the question of adequacy will be used as a bargaining chip in wider political negotiations between the UK and the EU, which could make for an even longer waiting period. While data transfers to the UK will definitely be more restricted, companies will likely resort in the meantime to the use of SCCs as transfer safeguards.”

