Law 21/2021 introduced several amendments to the Tax Benefits Code, the Stamp Duty Code, the Investment Tax Code, the Vehicles and Circulation Tax Codes. It also created an extraordinary measure for counting deadlines within the scope of Corporate Income Tax (“CIT”).
The application of these measures, unless otherwise specified, are retroactive to 1 January 2021.
In this newsletter we analyze the main tax changes introduced by the Diploma.

Tax Benefits Code

The main changes to the Tax Benefits Code are as follows:
Extension of certain tax benefits:

  1. Tax benefits to the financial system and capital markets, sponsorship and others: 31 December 2025 (with retroactive effect from 1 January 2021);
  2. Tax benefits relating to intellectual property income: 31 December 2021 (with retroactive effect from 1 January 2020);
  3. Tax benefits relating to the Madeira Free Trade Zone and the Santa Maria Free Trade Zone: 31 December 2027 (with retroactive effect from 1 January 2021).

Madeira Free Trade Zone. The income of entities licensed to operate in the Madeira Free Trade Zone from 1 January 2015 up to 31 December 2021 are subject to CIT until 31 December 2027, at a 5% rate. This benefit is, however, subject to one of the following applicable annual limits:

  1. 20,1% of the annual gross value added generated in the Autonomous Region of Madeira;
  2. 30,1% of the annual labor costs incurred in the autonomous region of Madeira; or
  3. 15,1% of the annual turnover generated in the autonomous region of Madeira.

Other benefits:

  1. Income paid by collective investment undertakings to their unitholders will now be excluded from the tax benefit limitation rule;
  2. Interest and rents payable in connection with loans and industrial, commercial or scientific equipment leases granted by non-resident entities will be exempt from PIT and CIT without the need of prior approval of the Minister of Finance;
  3. Entities managing designations of origin and geographical indications of wines, vinegars, spirit drinks of vinic origin and aromatized wine products recognized under the terms of the applicable legislation will be exempt from CIT.
Investment Tax Code

The deadline for contractual tax benefits and regional state aid, in accordance with the national state aid map, is extended until 31 December 2021.

Stamp Duty

The Stamp Duty Code now provides for an exemption from Stamp Duty on the report of securities or equivalent rights carried out on a regulated market or multilateral or organized trading system, as well as on report and financial guarantees carried out by financial institutions, namely by credit institutions and financial companies, with the intermediation of central counterparties.

Vehicles and Circulation Tax Code

They are revoked with effect from 1 July 2021:

  1. ISV exemption. Light goods vehicles with open, flat, or closed boxes, which do not have a cabin integrated into the body, with a gross weight of 3500 kg, without four-wheel drive are now exempt from payment of ISV;
  2. Circulation Tax Code. The exemption from payment of 50% of the single circulation tax for category D vehicles has been revoked.
Corporate Income Tax Code

Is suspended, during the 2020 tax period and during the following tax period, with retroactive effect from 1 January 2020, the computation:

  1. The deadline for reinvestment of the realization values;
  2. The deadline for deducting from taxable income expenses that could not be deducted in the period to which they relate, due to insufficient taxable income, regarding research and business development expenses in the Autonomous Region of Madeira.

E-signatures are essential to verify the identity of individuals and businesses online and to ensure authenticity of electronic documents.
In the European Union (‘EU’), electronic identification and trust services (‘eIDAS’), where e-signatures are included, are ruled by Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (‘eIDAS Regulation’), which came into force in July 2016.
Although the eIDAS Regulation is directly applicable in all Member States and does not require implementation by local laws, certain specifics such as validity, effects and legal value of e-signatures and e-documents require local regulation that must be in line with the eIDAS Regulation.
In Portugal, local eIDAS specifics are governed by Decree-Law 12/2021, of February 9, 2021 (‘Portuguese eIDAS Law’), which is effective since March 11, 2021.
At the same time, the upcoming obligation for companies with FYE on December 31, 2020 of   holding their general meetings of shareholders to approve annual accounts until March 31, 2021 leads us to the rules on ‘e-shareholder meetings’, i.e. meetings held using electronic means. 

ELECTRONIC SIGNATURES

E-signatures are generally accepted in Portugal in the EU. However, their value as evidence varies according to the type of signature.
The eIDAS Regulation establishes the following types of e-signatures:

  • Simple e-signature: data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign, as set out in the eIDAS Regulation. For example, writing a name on an e-mail may be considered a simple e-signature.
  • Advanced e-signature: an e-signature which additionally is (i) uniquely linked to and capable of identifying the signatory, (ii) created in a way that allows the signatory to retain control and (iii) linked to the document in a way that any subsequent change of the data is detectable.
  • Qualified e-signature: an advanced e-signature which additionally is (i) created by a qualified signature creation device and (ii) based on a qualified certificate for e-signatures. The use of a qualified e-signature means (i) that the signatory of the document is the individual identified by the qualified signature; (ii) that such individual had the intention to sign the document; and (iii) that the content of the document signed with the qualified e-signature has not changed since it was e-signed.

Only the qualified e-signature has the same value as evidence of a handwritten signature.
Nevertheless, the other types of e-signatures may be used:

  • If the contracting parties agree to use other types of e-signatures (simple or advanced), subject, however, to mandatory provisions on the form required for certain agreements; or
  • If someone submits an electronic document signed with other type of e-signature and the counterparty accepts such e-signature as valid. 

Qualified e-signatures based on qualified certificates issued in one EU Member State are acknowledged as qualified e-signatures in all other Member States. Providers of qualified certificates for e-signatures in each Member State are listed in the Trusted List.
As the United Kingdom (‘UK’) is no longer a member of the EU, qualified e-signatures based on qualified certificates issued by providers in the UK are not automatically recognised and accepted in the EU. The UK eIDAS Regulations, which are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation, are tailored for use within the UK.

ELECTRONIC DOCUMENTS

Electronic documents are valid in Portugal. If the electronic document meets the requirements to be considered a written document – i.e., if it may be represented as a written statement – it will be considered equivalent to a paper document in written form.
Such electronic document signed using a qualified e-signature will be equivalent and have the same value as evidence as a paper document with a handwritten signature. The value as evidence of electronic documents signed with simple e-signatures or advanced e-signatures will be freely assessed by the court, which means additional evidence could be required to demonstrate the content of such documents.
If the electronic document cannot be represented as a written statement, it will have the value as evidence of a photograph or of a copy, even if signed using a qualified e-signature.
Copies of e-signed electronic documents that do not allow the verification and validation of e-signatures may have the same value as evidence of the original if they are certified by a notary.
Under the Portuguese eIDAS Law, the dispatching of electronic documents is subject to the following rules:

  • An electronic document sent by electronic means is deemed sent and received by the addressee if it is transmitted and received at the electronic address agreed by the parties;
  • The date and time of creation, dispatch or receipt of an electronic document containing a time stamp issued by a qualified trust service provider is effective between the parties and against third parties;
  • An electronic document with a qualified e-signature or a qualified electronic seal sent by electronic means that ensure effective receipt is equivalent to dispatching by registered post. If receipt is confirmed by a confirmation message addressed to the sender by the addressee in an identical form, it is equivalent to dispatching by registered post with acknowledgement receipt;
  • Dispatching of data and documents using qualified electronic registered mail services is equivalent to using registered post with acknowledgement receipt.
ELECTRONIC SHAREHOLDERS’ MEETINGS 

Although usually shareholder general meetings take place in the corporate head-offices, it is possible for shareholders of Portuguese companies to hold general meetings using electronic means, unless the company’s articles of association establish otherwise.
Some aspects must, nevertheless, be taken in consideration when deciding to hold the meetings electronically:

  • It is an option of the company and not of the shareholders; and
  • The company must put in place technical means to allow confirmation of identity of the shareholders attending the meeting, ensure authenticity and safety of communications in the meeting and to keep a full record of the meeting. 

This means, for example, that the notice of the meeting must specify that the meeting is to be held electronically and that the company must provide the shareholders the information required to access the meeting.
Even though the meetings are held electronically, minutes containing the record of discussions and resolutions must be drafted and signed by the chairman and secretary of the meeting (in case of S.A. companies) or by the shareholders (in Lda. companies), as applicable, either in paper or in electronic form.

The Portuguese Energy Secretary of State announced that the Portuguese Government will publish the general guidelines for a Portuguese Hydrogen Auction in the first week of April. This will be followed by a set of public sessions for promoters.
This auction is the second initiative to develop the H2 technology in Portugal after the kick-off of the Green Flamingo project, a large production unit to be built in Sines, as part of the Portuguese Hydrogen National Plan.
Consumers and not producers, as originally planned, will be participating in this auction. It is expected to capture the interest of large consumers, mainly industrials or/and consumers applying for self-consumption programs.
The guidelines projected for April will be key to understand this mechanism: the auctioned amounts, the auction date and eventual financial prerequisites are not yet known.
The auction will be based on Carbon Contract for Differences (commonly known as “CfDs”), the participants bidding amongst themselves to buy a certain amount of hydrogen.
The difference between the awarded bid (strike price) and the carbon price will be paid through public funds. The Portuguese Government anticipates that, over the years, the carbon price drops and such payments will cease to exist.
There will also be a special channel for the energy suppliers to participate in the auction. In this case, the hydrogen bought will not be used for self-consumption but sold in the market instead.
This announcement promises to bring back the promoters’ enthusiasm and create new expectations for 2021 in the renewables market.
 

The Portuguese Presidency of the Council of the European Union can now negotiate the proposed e-Privacy Regulation. This regulation, yet to be negotiated with the European Parliament, intends on continuing the European Commission's 2017 proposal while defining rules on direct marketing, cookies and metadata, regarding "online privacy” framework.
Once approved, the regulation will revoke e-Privacy Directive, transposed by Law 41/2004 of 18 August into Portuguese domestic law. This Directive and the Portuguese law that transposed it are almost two decades old and no longer keep up with new challenges that come with technological development.
The proposed e-Privacy Regulation includes:

  • Electronic communications data confidentiality and the users’ consent to their processing. Listening, monitoring and data processing by a third party will be prohibited, except if allowed by law or for protection against exceptional situations, e.g. guaranteeing the integrity of the services, malicious programs or viruses;
  • End users’ choice to accept cookies (or not). To avoid "consent fatigue", users can consent to certain types of cookies by setting permissions in their browser's default settings;
  • In marketing communications, the users’ consent rule stands when the user is a natural person (opt-in). If the user is a customer, prior consent to direct marketing communications is not needed, if the seller obtained the client’s electronic contact details during the sale of a product or service where customer had the possibility to opt-out of receiving these communications (soft opt-in). Member States can define the period during which data can be used for sending marketing communications in their domestic law;
  • Metadata processing is allowed for billing purposes or to detect or prevent fraudulent use, or if the user consents so. Metadata can also be processed to protect vital interests of users, e.g. to monitor epidemics and their spread, or during humanitarian emergencies.

As lex specialis, the e-Privacy Regulation will set out the rules on privacy in electronic communications and, when and where not applicable, the General Data Protection Regulation (''GDPR'') will apply. One will not replace, but rather complete the other and vice-versa.
The Council will discuss the draft Regulation with the European Parliament. Once approved, the Regulation will enter into force 20 days after its publication and apply after a transitional period of two years.

On  February 18, the European Commission opened violation proceedings against countries that have incorrectly transposed into their domestic law provisions regarding the 4th Anti-Money Laundering Directive (AMLD4 or Directive). Portugal included.
The deadline for the transposition of AMLD4 was June 27, 2017, and Brussels concluded that several provisions of the Directive were not transposed correctly into Portuguese law.
Because of this, the European Commission initiated a violation procedure by sending the defaulting countries a formal notice.
Over the next two months, Portugal must defend itself and answer adequately the Commission’s questions on why the transposition was not fully done. If it does not, the violation procedure will be pursued.
Portugal must address the fundamental aspects of the anti-money laundering framework, such as: (i) exchanging information with Financial Intelligence Units (FIUs) and cooperating adequately with them, for that matter; (ii) complying with customer due diligence requirements; and foster and encourage the transparency of central beneficial ownership registers.
If the Commission concludes that Portugal has not complied with its obligations under the EU law, the second stage of the violation procedure will follow.
In the second stage, the Commission sends Portugal a formal request to comply with AMLD4 and exposes the reasons why it considers that Portugal is breaching EU law. It also asks Portugal to inform the Commission of the measures adopted, within a specified period, usually 2 months.
The non-compliance with these rules might cause an impact on the EU, as a whole, by not protecting the financial system and combating money-laundering-related crimes. In order to step up these efforts the Commission published a six-point Action Plan on May 7, to further strengthen the EU's fight against money laundering and terrorist financing.
Now Portugal has to wait and see what the European Commission will decide, and we have to wait and see how the country will justify the poor transposition of the Directive into the Portuguese legal system.

January 2021 marked an important stage on the relationship between the EU and the UK regarding data privacy. As of 2021, the UK is considered a third country when it comes to international data transfers ,meaning that there was data before and there is data after Brexit.
Since the requirements in GDPR concerning international transfers of (personal) data to third countries are strict, and since there was not an EU adequacy decision on UK’s data protection legal framework, risks of non-compliance for businesses transferring data from an EEA country to the UK were significant.
But, on February 19 2021, fifty days after the EU and UK markets were set apart, the EU published a draft decision on adequate protection of personal data by the UK under GDPR.
The draft decision concludes that the UK’s legal framework when it comes to data protection ensures a level of protection of personal data transferred from the European Union that is essentially equivalent to the one guaranteed by GDPR, and that both supervision and adjustment mechanisms facilitate the detection of violations and their punishment, as well as solutions for data subjects.
Considering this draft decision, and assuming a final decision will comprehend the same terms, the transition period initially set out will no longer apply and businesses in the EU will be able to continue to transfer personal data to the UK based on an adequacy decision, which means that data transfers to the UK have no restrictions whatsoever.
These are very relevant news for several key economy sectors, such as health, banking and technology, and the continuity of EU-UK data flows therein.
This draft decision includes, however, a duration period of four years at the end of which the EU must renew its adequacy decision. Because the UK will no longer be bound by the current data protection framework after the EU-UK Trade and Cooperation Agreement ceases to apply, the EU decided to subject the adequacy decision to an amendment and restatement by the end of 2024: six months before the adequacy decision ceases to apply, the EU must initiate a procedure to amend it by extending its temporal scope for an additional period.
Within the next few weeks, EDPB is expected to issue an opinion on the draft decision, which will be taken into consideration in the preparation of (but should not stop) the final decision.

2021-02-15
Susana Vieira

As of January 1, 2022, investors will no longer be able to buy real estate in Lisbon and Oporto to obtain a residence visa – a “golden visa” – in Portugal.
Investors that have already purchased real estate in these areas or are in the process of doing so will not be affected by these changes. So, for investors that intend on investing in high-density regions of the country, such as Aveiro, Braga and Coimbra and the majority of Algarve, the time to do so is now or until the end of 2021.  
Real estate in inland areas of the country, Azores and Madeira will, however, still be eligible for obtaining a golden visa in Portugal. In these areas, for a minimum of €500,000 for new properties and €350,000 for properties purchased for renovation, one can still apply for a golden visa and become a Portuguese resident.
Minimum investment requirements will increase for those who apply for a residence visa by making capital transfers to Portugal:

  1. capital transfers for no specific reason will increase from €1,000,000 to €1,500,000;
  2. capital transfers for (i) research purposes; (ii) acquisition of investment funds or venture capital funds shares and (iii) investing in existing and registered Portuguese businesses will increase from €350,000 to €500,000.

The rules above are included in Decree-law no. 14/2021, of 12 February, and will apply to visa requests filed after January 1, 2022. Renovation of residence visas granted under the rules in force until December 31, 2021 and the granting and renovation of family regroup visas connected with residence visas also granted under the rules in force until December 21, 2021 will not be affected by the new rules.

On 14 January 2021, the European Data Protection Board ('EDPB') adopted Guidelines 1/2021, the first guidelines issued this year, which include practical and useful examples of notifications of personal data breaches ('Guidelines') under the General Data Protection Regulation ('GDPR').

These Guidelines are to be the continuation of the guidelines issued by the former Article 29 Working Party (' WP250 Guidelines ') in 2018, adding the experience obtained by the supervisory authorities of the various Member States with the application of the GDPR.

In contrast with the WP250 Guidelines, the current Guidelines adopt a more practical approach, stressing the importance of a risk assessment when it comes to the possible causes for a data breach. The Guidelines provide examples of data breaches (the most common) and the procedures to be followed, underlining the importance of documenting the entire process in the event of a data breach.

The examples given are divided into six groups: (i) 'ransomware'; (ii) data exfiltration ‘attacks’; (iii) breach due to human error within companies; (iv) lost or stolen devices and paper documents; (v) breach resulting from communications (‘mispostal’); and (vi) other cases (involving 'social engineering').

The specific examples indicated by the EDPB (about 18) range from submitting an online application for a job position, to filling in credentials on a bank website, to personal data breaches in hospitals.

In other words, these are day-to-day situations, that no person or entity is completely safe from. It is therefore recommended that necessary measures are taken in the event of a data breach, by adopting the following measures:

  1. Investigate the data breach so that, after identifying its origin, the measures to be taken are assessed. Ideally, there should be a 'contingency plan' drawn up in advance for this purpose;
  2. The next step is to take the necessary measures to mitigate the damage resulting from the data breach (such as returning all affected computer systems to a 'clean' state and repairing their vulnerability) and report the breach to the relevant supervisory authority. Reporting the breach should be made within 72 hours from the moment it is known, when it is likely that it represents a risk to the rights and freedoms of the persons involved (the data subjects);
  3. Finally, if the data breach constitutes (or is likely to constitute) a high risk to the data subjects’ rights and freedoms, it must also be reported to the data subject.

These Guidelines will be under public consultation until March 2, 2021.

Overview

On January 15, 2021, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the draft proposal of Standard Contractual Clauses (SCCs) released by the European Commission on  November 12 2020 for data transfers from within the EEA to non-EEA countries (third countries) (the Draft SCCs). 

Once settled, the Draft SCCs will replace the existing SSCs: (i) EU controller to non-EU or EEA controller (Decision 2001/497/EC and Decision 2004/915/EC) and EU controller to non-EU or EEA processor (Decision 2010/87/EU), approved under the former Data Protection Directive and that was repealed by the EU General Data Protection Regulation (GDPR).

GDPR requires a solution to be implemented for data transfers from the European Economic Area (EEA) to third countries that do not provide an adequate level of data protection. The SCCs, among or together with other options, such as data subject’s consent, binding corporate rules (BCR), ad hoc contractual clauses, approved codes of conduct or certification mechanisms, allow international data transfers in compliance with GDPR.

The EU-US Privacy Shield was also one of the solutions used to justify data transfers from EEA to the US. Last summer, the EU-US Privacy Shield was, however, ruled void by the Court of Justice of the European Union’s (CJEU), in Schrems II case. Consequently, organizations using the EU-US Privacy Shield need to rely on alternative solutions, from which SCCs may be used to justify data transfers to the US.

For a comprehensive approach, we will first recall the Schrems II case and the subsequent steps until the recent joint opinion issued by EDPB and EDPS.

Schrems II case

This decision of July 16 2020 (Schrems II case) is the sequel to a previous ruling, where CJEU invalidated the EU-US Safe Harbour (Schrems I case). The EU-US Safe Harbour was the predecessor of the Privacy Shield, which also ruled as inadequate to ensure an adequate level of protection required for international data transfers. In turn, CJEU considered the Commission Decision 2010/87/EU applicable to data transfers from EU controllers to non-EU or EEA processors to be valid.

This CJEU ruling follows a complaint lodged by M. Schrems. The Austrian citizen and Facebook’s user lodged his complaint with the Irish data supervisory authority seeking to prohibit Facebook Ireland from transferring his personal data to the US. Personal data of Facebook users, who are residents in the EU, is transferred to servers of Facebook Inc. located in the US where they are processed under International SCCs.

M. Schrems claimed that International SCCs would not offer sufficient protection against access by US public authorities to the data transferred to the US.

Following the Advocate General’s Opinion (non-binding opinion published on 19 December 2019) on this case, the CJEU considered International SCCs as adequate. The Court points out that International SCCs decision imposes an obligation on the data exporter and on the data recipient to verify, prior to any transfer, whether that level of protection is respected in the receiving country and that the decision requires the recipient to inform the data exporter of any inability to comply with International SCCs, the latter then being, in turn, obliged to suspend the transfer of data and/or to terminate the contract with the former.

On the other hand, CJEU challenged the level of protection afforded by the Privacy Shield on the grounds that it does not include satisfactory limitations to ensure the protection of EU personal data from access and use by US public authorities based on US domestic law.

The Schrems II case has relevant implications on the data transfer from the EU to third countries (namely the US) and gave data subjects, controllers, and processors with a great deal of uncertainty in relation to the conditions under which data exports can occur, i.e. what the practical consequences for existing and new contracts are and how to conduct Transfer Impact Assessments (TIAs) onwards.

SCCs meet businesses halfway

Further to the Schrems II ruling, on 10 November 2020, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

The EDPB recommendations emphasizes the principle of accountability under which controllers which export personal data must ensure that whatever mechanism and supplemental measures govern a data transfer, the data must receive the same protection it would in the EU. Otherwise, the data transfer will breach GDPR. These recommendations are targeted to both public and private transfers of EU data to private sector entities outside the EU.

Data exporters need to determine whether they must use supplemental measures other than the revised SCCs. EDPB provides examples of supplementary measures to be assessed on a case-by-case basis, such as “flawlessly implemented” encryption and pseudonymizing data.

Two days after the EDPB’s recommendations, the Commission published the Draft SCCs  with input due by December 10, 2020. As data processing is increasingly complex, the adage of this draft proposal is adaptability.

The Draft SCCs combine general clauses with a modular approach to cater for various transfer scenarios. In addition to the general clauses, controllers and processors should select the module applicable to their situation among the four following modules: (i) module one: transfer controller to controller; (ii) module two: transfer controller to processor; (iii) module three: transfer processor to processor; and (iv) module four: transfer processor to controller.

Some relevant issues that should be concerning to organizations dealing with international data transfers, and that do not solve any of the issues raised by the Draft SCCs, include:

  • On the adequacy of the law and practices of the third country. This is not a great relief for controllers and processors who come about a great deal of responsibility;
  • A brief period of one year to comply. Organizations will need to put in practice the revised SCCs for their entire business operation. The draft proposal grants organizations one year to do so, which may come up short;
  • The revised SCCs are not necessarily of use, or mandatory, for organizations operating under SCCs of greater privacy assurance. SCCs work as a minimum protection threshold.
Joint opinion of EDPB and EDPS

In this context, on November 12 2020, the Commission requested EDPB and EDPS to issue a Joint Opinion on the Draft Decision and the Draft SCCs (“the Joint Opinion”).

In general, EDPB and EDPS are of the opinion that the Draft SCCs offer a reinforced level of protection for data subjects. In particular, EDPB and EDPS welcome the specific provisions intended to address some of the main issues identified in the Schrems II ruling.

Nevertheless, EDPB and EDPS are of the understanding that several provisions could be improved or clarified, including (i) the scope of SCCs; (ii) certain third-party beneficiary rights; (iii) certain obligations regarding onward transfers; (iv) aspects of the assessment of third country laws regarding access to public data by public authorities; and (v) the notification to the supervisory authority.

The conditions under which SCCs can be used must be clear for organizations and data subjects should be provided with effective rights and remedies. SCCs should include a clear distribution of roles and of the liability regime between the parties. Regarding the need, in certain cases, for ad-hoc supplementary measures to ensure that data subjects are afforded a level of protection essentially equivalent to that guaranteed within the EU, the Joint Opinion considers that new SCCs will have to be used along with EDPB Recommendations on supplementary measures.

EDPB and EDPS thus invite the Commission to refer to the final version of EDPB Recommendations on supplementary measures.

The revised SCCs together with the recent Schrems II will give a new approach to international data transfers, with due diligence measures towards data exporters to ascertain whether the country of the data importer effectively ensures an adequate level of protection. For data exporters, this may however become a huge task, as they will need to map all transfers and understand the laws and practices of the third country to adopt appropriate measures to meet the EU’s data protection requirements.

Since January 1, 2021, the UK is considered a third country regarding international transfers of data. Except for the interim period of four months set out in the EU-UK Trade and Cooperation Agreement, transfers of personal data from the EEA to the UK will be treated as a data transfer to a third country, and the transfer will need to meet the GDPR requirements for international data transfers.

If the EU does not issue an adequacy decision on the UK for the purpose of international data transfers within the next four to six months, all companies that transfer personal data to the UK will need to ensure that they have appropriate safeguards that comply with the requirements of GPDR and legitimize transfers of data to the UK.

In this short briefing, you can learn more about (i) the EU-UK Trade and Cooperation Agreement regarding data protection, (ii) the implications of non-compliant data transfers to the UK, and (iii) the GDPR requirements for international transfers of data.

Brexit: bidding farewell to the UK

From January 1, 2021, the EU and the UK form two separate markets. The movement of persons, goods and services has come to an end between these two territories. On December 24, 2020, the EU and the UK agreed the terms of a free trade agreement, a governance framework, and a citizen’s security framework.

As regards personal data protection, the EU and UK commit to uphold high levels of data protection standards, and, for a period of four to six months, an interim period allows­ free flow of personal data from EEA countries to the UK ensuring a transition after Brexit. This is temporary relief for businesses as a no-deal Brexit would mean new transfer mechanisms to be needed already in January 2021.

The UK issued guidance stating that EEA countries will be considered adequate for the purpose of transfers of data, so these transfers will be permitted from the UK to the EEA. But the Brexit deal leaves out the adequacy of data protection rules in the UK, so for data transfers from EEA countries to the UK to be considered legitimate, it is still necessary that the EU issues an adequacy decision under Article 45 of the GDPR.

As regards data protection, the relationship between the EU and the UK remains unchanged until 1 May 2021 (or 1 July 2021, if it is extended). For the second semester of 2021, however, and if the EU does not issue an adequacy decision, things will change.

Risks of non-compliance

Following the transition period, and unless the EU determines the level of adequacy for personal data protection in the UK, the risks of non-compliance for businesses transferring data from an EEA country to the UK are significant.

Businesses infringing provisions regarding the personal data transfers to recipients in a third country are subject to fines up to €20 million or up to 4% of their total worldwide annual turnover, whichever is higher.

Having considered the risks posed by faulty compliance with the rules governing the transfers of data to the UK after the transition period, businesses must understand the GDPR requirements for cross-border transfers and structure internal policies accordingly.

International transfers of data under the GDPR

Communication of personal data from a data permanent storage location within the EEA made available to an identified party with the sender’s knowledge or intention to give the recipient access to such personal data at destination outside of the EEA is an international transfer of data.

Under Articles 45 and 46 of the GDPR, transfers of data outside of EEA can only occur if (i) they rely on an adequacy decision of the EU or, if there is none, if (ii) there are appropriate safeguards in place, namely adequate standard contractual clauses, binding corporate rules, codes of conduct, or security certification procedures, save for any of the derogations of Article 49, and (ii) on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

An adequacy decision by the EU determines that a country outside of the EEA has an adequate level of data protection standards to the extent that data can be transferred to that country without any further safeguards. It is expected that the EU will issue an adequacy decision on the UK during the transition period, but businesses should nevertheless be prepared to put in place standard contractual clauses, corporate rules binding their group’s entities, codes of conduct and certification mechanisms in line with the EU’s standards and guidelines.

It is also useful to consider two sets of recommendations issued by EDPB on personal data transfer to third countries and related to the conclusions of the CJUE in its recent judgment C-311/18 (Schrems II). These recommendations have a special impact on measures that supplement transfer tools to ensure compliance with adequate levels of personal data protection.

Summary

For the first four months of 2021, there will be an interim period, which can be extended for an additional two months, in which transfers from EEA to the UK can occur legitimately without the requirements set out under GDPR for international data transfers. 
It is noteworthy that the interim period is precarious: in case the UK changes its current legal framework on data protection, the transition period will immediately come to an end, except if previously approved by the EU. At the end of this interim period, unless the EU issues an adequacy decision on the UK data protection framework, transfers of data from an EEA country to the UK are not permitted unless appropriate safeguards are put in place in compliance with GDPR.