The EU and UK reached a Trade and Co-operation Agreement (‘Brexit Agreement’) on 24 December 2020 bringing clarity to many complex issues following the end of the Brexit transition period, including transfers of personal data. Transfers of personal data to the UK may continue as normal for up to six months after the Brexit transition period ended on 31 December 2020 until the EU Commission makes an adequacy decision concerning the UK.
Brexit means that the UK will no longer benefit from the free flow of personal data between EU and EEA countries. Any transfer of personal data from the EU to the UK will, therefore, have to comply with the hefty restrictions on international transfers under the GDPR, recently upgraded by the Schrems II judgement.
The Brexit Agreement, however, provides an extension for the benefit of EU-UK data transfers, referred to as the ‘bridge’, meaning that the free flow of personal data between the EU and UK may continue for another four months (until 1 May 2021) extendable for another two months (until 1 July 2021) unless objected to by either the EU or UK. The bridge is conditional on the UK not amending its data protection laws during the period. The period will terminate if the EU Commission confirms before the end of the period that the UK provides adequate protection for personal data (a so-called ‘adequacy decision’).
If the bridge ends without an adequacy decision, companies in the EU would have to have appropriate safeguards in place or rely on derogations as required under the GDPR to justify transfers of personal data to the UK. This would be a considerable and pricey compliance burden for the many organisations operating across the newly adjusted EU border including, for example, EU-based corporate groups with UK entities.
The daunting complexities surrounding international transfers and Brexit have been postponed, but not solved. Stakeholders on both sides of the Channel now face the task of preparing for two opposite scenarios simultaneously. In the absence of an adequacy decision, EU companies would have to have all necessary measures in place (such as standard contractual clauses or other safeguards) to ensure that transfers of personal data to the UK comply with the requirements for international transfers under the GDPR.
At the same time, it is highly desirable and likely that UK adequacy will be confirmed, thus rendering any further safeguards or measures unnecessary. Nevertheless, organisations have to be mindful of both potential outcomes. For example, the UK Information Commissioner’s Office has recommended putting alternative safeguards in place before the end of April.
With this in mind, any EU company potentially transferring personal data to the UK (including providing access to personal data) should carry out the following measures to prepare for a non-adequate scenario:
A confirmation of UK adequacy will be highly anticipated during the following months. Although the UK has now regained autonomy over its data protection law, the requirements of the GDPR have been converted into domestic UK law. This means that GDPR standards will, for now, remain part and parcel of UK data protection law, favouring a finding of adequacy by the EU Commission. After all, the Brexit Agreement and the bridge it establishes aim precisely at allowing sufficient time to decide on adequacy.
However, the EU Commission will have to carry out an intricate analysis of the UK’s broader relevant legislation, notably the UK’s surveillance regime, which has been said to cast doubts on adequacy. The recent Schrems II judgement, in which the European Court of Justice invalidated the partial adequacy arrangement for the US (Privacy Shield), specifically boiled down to excessive surveillance powers of local authorities. Interestingly, the compliance of the UK’s surveillance regime with EU law was challenged by the European Court of Justice only a few months ago, on 6 October 2020 (case C-623/17, ‘Privacy International’). Therefore, the risk of non-adequacy cannot be ruled out and a confirmation of adequacy bears the risk of privacy campaigners subsequently challenging the adequacy decision, as demonstrated by the Schrems case law.
Original article available at www.dittmar.fi