We have a deal! After several months of negotiations, on 24 December 2020, the EU and the UK announced that they have finally agreed on an agreement regulating trade and cooperation between the UK and the remaining 27 member states after 31 December 2020 (Trade Agreement). From a data protection perspective, this is welcome news as the Trade Agreement provides an effective temporary arrangement for personal data to be transferred between the EU and the UK.
The EU General Data Protection Regulation (GDPR) allows for a free flow of personal data within the EU. Before Brexit and during the transition period this included the UK. Before the UK left the EU on 1 February 2020, the EU and the UK had agreed on a transition period to mitigate certain negative consequences of the Brexit which resulted, effectively, in the UK being treated as if it still was a member of the EU. However, as this transition period expired on 31 December 2020, it became important to come to an agreement defining the future relationship between the UK and the EU. This is because since 1 January 2021, EU data protection law requires that the UK be treated as a third country. Only if the EU Commission issues a so-called adequacy decision certifying that the UK has an adequate level of data protection, can data continue to flow from the EU to the UK without companies having to take further measures. However, so far the EU Commission has not issued such decision and has not indicated whether it will.
The Trade Agreement
Article FINPROV.10A of the Trade Agreement gives the EU Commission, and thus also data-transferring companies, a little more time. It allows data flows between the UK and the EU for at least another four months under the old conditions; in other words, it has the effect of an interim soft-adequacy decision.
Provided that the UK refrains from (a) amending its existing data protection laws and (b) exercising certain powers pursuant the Data Protection Act 2018 (DPA, by which the UK incorporated the GDPR into national law), the Trade Agreement maintains the status quo until 30 April 2021, which will be automatically extended until 30 June 2021 unless one of the parties objects or an adequacy decision is issued by the EU before then. It should be noted, however, that the interim permission to transfer personal data from the EU to the UK comes to an end before that date, if the UK (i) amends the DPA, (ii) issues its own adequacy decision vis-à-vis a third country, or (iii) approves other transfer mechanisms to such third countries than those approved under the regime of the GDPR, without the EU’s consent.
In a Nutshell
The Trade Agreement is relevant for all processing of personal data concerning data subjects located in the EU (EU personal data) in connection to the UK, regardless of whether the entity processing the data is actually located within the EU or not.
UK businesses that process EU personal data and businesses elsewhere (i.e., within an EU Member State, the US, or any other country) that transfer personal data to or from the UK, or process EU personal data within the UK, can continue to do so under the conditions set forth in the GDPR until 30 April, or, if prolonged, until 30 June 2021.
If no adequacy decision is issued by the EU Commission by this date, additional safeguards will have to be implemented according to Chapter 5 of the GDPR (e.g. standard contractual clauses, a new version of which is about to be issued.) For further information on this read our prior blog post, “New Draft Standard Contractual Clauses for Cross-Border Transfers of Personal Data and Controller-Processor Relationships.”
As far as data privacy and the business between the EU and the UK is concerned, the Trade Agreement provides a short-term solution only. As such, businesses, whether in the UK, the EU, the US, or elsewhere, should keep their eye on the adequacy decision process and be prepared for the possibility that the UK may not be granted an adequacy decision by the EU Commission. While an adequacy decision may be a top priority for the UK as far as international privacy agreements are concerned, the grant will depend to a large extent on what changes the UK makes, or proposes to make to its domestic privacy laws and its other international commitments, particularly to the US.
For more information about what would happen in the event no adequacy decision is granted or no other solution is found after 30 April 2021 (or 30 June 2021, respectively) read the GT Alert “Brexit: The Future of Data Flow to and from the EEA and the UK.”