The UK has now reached a Brexit deal: what does this mean for personal data transfers?
Data transfers between the UK and the European Economic Area (EEA)
The EU-UK Trade and Cooperation Agreement reached on 24 December 2020 included a temporary solution enabling the on-going free flow of personal data between the EU and the UK.
From the 1 January 2021 the UK is outside the EEA and deemed a ‘third country’. This means that transfers from the EEA to the UK are restricted. In order for transfers to take place between the EEA and the UK without a transfer instrument, the European Commission must make an adequacy decision. This was not part of the Brexit deal although the EU has stated that it will undertake such an assessment. Whilst the UK awaits the adequacy decision, it has been agreed that data from the EEA to the UK can be transferred without restriction for the next four months, with the potential to be extended to six months.
Therefore, UK organisations transferring personal data to the EEA will not be required to include transfer instruments of standard contractual clauses just yet, but this will need to be monitored and may change pending the European Commission’s adequacy decision.
Transfers from the UK to countries outside the EEA and the use of the EU’s standard contractual clauses (SCC)
Until the UK takes decisions on the adequacy of non-EEA data protection laws, the existing EU laws which approved standard contractual clauses will remain sufficient for the purposes of data transfers to non-adequate countries outside the EEA.
Accordingly, existing EU SCCs continue to be valid for transfers out of the UK to non-adequate countries. For new transfers, the EU SCCs can continue to be used (although a number of the terms don’t make sense post Brexit). They can, however, be amended first to reflect Brexit (but nothing else) and the Information Commissioner’s Office (ICO) has helpfully prepared versions with such suggested amendments.
Transfers to the USA which relied on the Privacy Shield
The decision in Schrems II in July 2020 now means that certification under the US Privacy Shield cannot be relied on. Accordingly, any transfer of personal data to the USA will need to implement the SCC or another transfer instrument.
The UK GDPR replaced the GDPR from 1 January 2021. The UK GDPR now governs the UK’s data protection law however it very closely resembles the EU GDPR and therefore, in reality, not much has changed. In practice, UK organisations who would be bound by GDPR with respect to the transfer of data to the EEA, may be required to appoint an EU representative and update policies, procedures and documentation. We await further developments in this regard.
What should businesses do now?
Although we would hope that an adequacy decision from the EU will be obtained, there is still pressure on the EU Commission (following the Schrems II decision) to exhaustively analyse the UK’s surveillance powers. This means there is no guarantee that a positive adequacy decision will be forthcoming.
There is therefore no harm in entering into SCCs now (as recommended by the ICO in its statement of 28 December) in case the positive adequacy decision is not arrived at. If though, like many businesses at present you are currently facing other urgent issues, you should continue to assess the situation for the next few months. Instead use the time to address the other Brexit impacts on data privacy or as a result of the Schrems II decision. Should it look likely that there will not be an adequacy decision though, then you will need to assess your data flows and put in place the SCC’s as relevant.