Many businesses who either transfer personal data from the UK to the EU, or in the other direction, have been concerned that the post-Brexit data protection landscape is unclear or more complex than before. The particular concern has been than doing business across borders would require extra steps or additional contracts to be entered into.
When the Brexit transition period ended on 31 December 2020, the UK became a “third country” for GDPR purposes, meaning that transfers of personal data from the EU to the UK would be treated as transfers out of the EU. Those transferring data from inside the EU to the UK would have an obligation to ensure that adequate protections for data subjects were in place before a transfer could be made. This means that transfers or personal data into the UK would require additional mechanisms to protect individuals, such as “standard contractual clauses”, with which business in the UK would only be familiar if they were previously transferring personal data to non-EU countries.
However, the trade and co-operation agreement of 24 December 2020 includes an interim provision dealing with personal data transfer from the EU to the UK. This bridging mechanism provides that during the interim period, the UK will not be deemed a third country, and personal data transfers from the EU to the UK can continue without additional safeguards. The interim period lasts for four months, but is automatically extended for another two months unless either the EU or the UK objects to an extension.
GDPR has been adopted wholesale into UK law in the Data Protection Act 2018, which means that data transfers from the UK to the EU can continue seamlessly, as long as the EU has been given a finding of adequacy by the UK authorities – the UK has already made that decision, so for the time being, and unless the UK position changes in the future, data transfers out of the UK into the EU are dealt with as before.
In the short term, therefore, for most purposes it is business as usual for data transfers in both directions between the UK and the EU. However, this only applies until the end of the interim period referred to above, unless the EU Commission makes a finding of adequacy in respect of the UK’s data protection environment.
Regarding the longer term picture, on 19 February 2021, the European Commission made a draft finding of adequacy in respect of the UK. The Commission issued a press release, stating that it had considered UK law and practice and had concluded that the UK provides an “essentially equivalent” level of protection to that available in the EU.
The finding of adequacy is not yet binding, as it must be approved by the European Data Protection Board and ratified by EU member states. If the finding is adopted, it will last for a period of four years and will be subject to ongoing review of the UK’s continuing data protection environment.
It cannot be guaranteed that the European Data Protection Board and member states will approve the finding of adequacy, and they may ask for additional safeguards in the UK (particularly around the access to personal data by public authorities, such as law enforcement agencies), but the draft findings are a step in the right direction which, if ratified, will ensure that data can continue to flow smoothly between the UK and EU.
If you have any questions and/or would like advice on any Commercial Law matter, please speak to Ben Habershon at: email@example.com or to your usual Dixcart contact.
A review of 2020’s biggest employment law issues and a look at what we should expect from the bright and glittery 2021.
We give you a round up of some of the big issues of 2019 in employment law, and what to expect in 2020, including a brief look at what’s likely to be covered by the Employment Bill 2020 and what happens next when the UK leaves the EU.
A review of September’s employment law cases and other news. This month’s cases show the technicalities that make navigating employment law such a challenge and why early and comprehensive advice is so crucial. In other news, we have updated guidance on Brexit, data protection, modern slavery, NDAs and some interesting research about why you should be investing in more training for your employees.
A review of March’s employment law cases and other important news. This month’s tricky situations include: TUPE dismissals; bad leaver provisions; two aspects of the employment/worker status issue; maternity leave and religious discrimination. In other news: ICO Brexit preparation tools; ICO fines; seasonal workers pilot scheme; modern slavery regulation flouting; new holiday pay guidance and reminders that NMW and NLW set to rise from 1 April.