The Brexit transition period has now ended, and a trade deal has been reached. It had been made clear that the UK would be subject to the restrictions on data export to ‘third countries’ for the purposes of the EU General Data Protection Regulation (GDPR) unless and until an adequacy decision has been made by the European Commission, meaning that data flows from the EU to the UK would need to be subject to additional compliance measures. However, hidden in the depths of the UK-EU trade deal are details of a further transition period for the transfer of personal data which avoids that outcome – for now.
The transfer of personal data from the EU to the UK post-Brexit
Pages 414–416 of the trade deal reveal an agreement to allow the continued flow of personal data from the EEA to the UK for a transitional period of up to six months from 1 January 2021. But what does this mean for UK businesses transferring data between the EU and the UK post-Brexit?
What does this mean for businesses?
Under the trade deal, personal data can continue to be transferred from the European Economic Area (EU countries plus Iceland, Norway and Liechtenstein) to the UK on the same basis as during the Brexit transition period for a period of four months from 1 January 2021. This will automatically be extended by a further two months (unless either the UK or the EU objects) if the European Commission has not declared the UK’s data protection regime ‘adequate’ within the first four months.
The interim personal data transfer arrangements are premised on broad principles of parity and non-divergence and accordingly are liable to fall away if the UK takes any of the following actions:
- the UK’s post-Brexit data protection regime (which currently incorporates the substantive provisions of the GDPR into UK domestic law) is amended;
- new rules are enacted for the international transfer of personal data or the UK adopts its own data protection ‘adequacy’ decisions in respect of non-EEA countries;
- new standard contractual clause are adopted for the international transfer of personal data;
- the ICO approves sector-specific codes of conducts which can be relied upon to transfer personal data to a non-EEA country;
- new data protection certification mechanisms are approved which can be relied upon to transfer personal data to a non-EEA country;
- new binding corporate rules are approved by the ICO; or
- new administrative arrangements allowing for the transfer of personal data between public authorities are approved.
From the above, it is clear that the EU is particularly concerned about the risks arising out of onward transfer from the UK of personal data originating in the EEA. If any of the actions above occur, the interim data transfer arrangements will end immediately. The UK will be treated as a ‘third country’ for the purposes of EU to UK data transfers – unless the EU, acting through a new UK/EU mediation body set up under the trade deal (the ‘Partnership Council’) provides prior approval of the relevant matter.
What happens after the new transition period?
In the trade deal it is envisaged that these transitional arrangements will be superseded by a finding of adequacy for the UK’s data protection regime by the European Commission within six months. This would provide a more permanent solution for ongoing personal data transfers between the EU and the UK without the need for additional compliance measures such as model clause agreements. That finding of adequacy will be more than mere formality, however, in the context of the ‘new normal’ relationship between the EU and the UK. In particular, the EU will heavily scrutinise the UK’s mass surveillance laws in the context of appropriate safeguards for personal data.
If no European Commission adequacy finding is in place by 30 June 2021, or the UK takes any of the actions summarised above without the consent of the EU, the UK will become a ‘third country’ for the purposes of the GDPR and personal data transfers from the EU to the UK will need to be subject to additional safeguards such as binding corporate rules or model clauses to allow the continued flow of personal data to the UK from the EEA.
For UK to EEA transfers, the UK had already enacted transitional provisions in the Brexit legislation which will allow the continued free flow of personal data without additional measures.
Finally, an important point to bear in mind is that the trade deal only addresses the transfer of personal data from the EEA to the UK. It does not address any other applicable provisions of the GDPR – for example, the need for UK companies to appoint an EU representative if the GDPR applies by virtue of its extra-territorial provisions.
For further advice on the processes relating to data transfer between the EU and the UK, please get in touch with Muzaffar Shah.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.