In spite of the holiday period, few will have missed the fact that the UK and the EU concluded a Trade and Cooperation Agreement on 24 December 2020. The Agreement provides a framework under which trade will take place following expiry of the transition period on 31 December 2020. “Personal data” is mentioned a mere 158 times in the 1265 pages of the document but there are some significant impacts in this area, as in so many others. This is the first in a series of blogs highlighting some practical data protection implications of Brexit, the end of the transition period, and the adoption of the Agreement.
What does the Agreement say about EU to UK personal data transfers?
From 1 January 2021 the UK will become a “third country” for the purposes of the EU General Data Protection Regulation. Ordinarily this would mean that transfers of personal data could only take place from the EU to the UK if “appropriate safeguards” were implemented for the transfer, or the European Commission had adopted a formal “adequacy decision” recognising the UK as providing an adequate level of protection for personal data.
The Agreement varies this position for a further transitional period, introducing what the UK government refers to as a “bridging mechanism”. It provides that transfers of personal data from the EU to the UK will not be considered a transfer to a third country for a “specified period” of up to six months after the Agreement’s entry into force (this would take the period to the end of June 2021). This is subject to an important safeguard: if, during this period, the UK amends the data protection laws it has in place on 31 December 2020, or exercises certain powers under the Data Protection Act 2018 or UK GDPR without the agreement of the EU Partnership Council, the specified period shall end.
What does this mean for businesses?
In the short term, businesses can continue to transfer personal data between the EU and the UK after 31 December 2020 without the need to take additional measures, such as entering into standard contractual clauses with counterparties. Data flows from the UK to the EU can also continue, since the UK has recognised the EU Member States as “adequate” jurisdictions for the purposes of UK law, on a transitional basis.
It is important to note the interim nature of the Agreement in relation to international transfers of personal data. Unless the European Commission adopts an adequacy decision in relation to the UK by the end of June 2021, businesses will find themselves facing the familiar cliff edge that has presented itself on multiple occasions during negotiation of the Withdrawal Agreement, and subsequently the Trade and Cooperation Agreement.
Acknowledging the uncertainty surrounding the adoption of any adequacy decision, the UK government’s website recommends that “you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data”. This recommendation is also made in a statement issued by the Information Commissioner’s Office.
Recent years have seen significant upheaval in the area of data protection law, and 2021 seems set to continue the trend. As businesses grapple with the implications of the Schrems II judgment on personal data flows leaving the EU and the imminent adoption of updated standard contractual clauses, the UK government’s promise of a post-Brexit regime that “champions” the international flow of data will be promising news for many. It remains to be seen how this objective can be squared with maintaining the standards that will be required to assure the UK of an EU adequacy decision in due course.