Many businesses who either transfer personal data from the UK to the EU, or in the other direction, have been concerned that the post-Brexit data protection landscape is unclear or more complex than before. The particular concern has been than doing business across borders would require extra steps or additional contracts to be entered into.
When the Brexit transition period ended on 31 December 2020, the UK became a “third country” for GDPR purposes, meaning that transfers of personal data from the EU to the UK would be treated as transfers out of the EU. Those transferring data from inside the EU to the UK would have an obligation to ensure that adequate protections for data subjects were in place before a transfer could be made. This means that transfers or personal data into the UK would require additional mechanisms to protect individuals, such as “standard contractual clauses”, with which business in the UK would only be familiar if they were previously transferring personal data to non-EU countries.
However, the trade and co-operation agreement of 24 December 2020 includes an interim provision dealing with personal data transfer from the EU to the UK. This bridging mechanism provides that during the interim period, the UK will not be deemed a third country, and personal data transfers from the EU to the UK can continue without additional safeguards. The interim period lasts for four months, but is automatically extended for another two months unless either the EU or the UK objects to an extension.
GDPR has been adopted wholesale into UK law in the Data Protection Act 2018, which means that data transfers from the UK to the EU can continue seamlessly, as long as the EU has been given a finding of adequacy by the UK authorities – the UK has already made that decision, so for the time being, and unless the UK position changes in the future, data transfers out of the UK into the EU are dealt with as before.
In the short term, therefore, for most purposes it is business as usual for data transfers in both directions between the UK and the EU. However, this only applies until the end of the interim period referred to above, unless the EU Commission makes a finding of adequacy in respect of the UK’s data protection environment.
Regarding the longer term picture, on 19 February 2021, the European Commission made a draft finding of adequacy in respect of the UK. The Commission issued a press release, stating that it had considered UK law and practice and had concluded that the UK provides an “essentially equivalent” level of protection to that available in the EU.
The finding of adequacy is not yet binding, as it must be approved by the European Data Protection Board and ratified by EU member states. If the finding is adopted, it will last for a period of four years and will be subject to ongoing review of the UK’s continuing data protection environment.
It cannot be guaranteed that the European Data Protection Board and member states will approve the finding of adequacy, and they may ask for additional safeguards in the UK (particularly around the access to personal data by public authorities, such as law enforcement agencies), but the draft findings are a step in the right direction which, if ratified, will ensure that data can continue to flow smoothly between the UK and EU.
If you have any questions and/or would like advice on any Commercial Law matter, please speak to Ben Habershon at: firstname.lastname@example.org or to your usual Dixcart contact.