Now that the transition period has ended and the Brexit Trade Deal has been agreed between the EU and UK, this briefing note sets out some of the current key data protection points in light of these recent developments.
What has happened since 1st January 2021?
As of 1 January 2021, the UK is deemed to be a "third country" with regards to personal data transfers from the European Economic Area ("EEA"). The GDPR effectively restricts transfers of personal data (from the EEA) to third countries, unless the third country in question is deemed by the EU Commission to have adequate data protection safeguards (also referred to as an adequacy decision), a specific exemption applies or the personal data is protected in some other way.
However despite this and under the recently agreed EU-UK Trade and Cooperation Agreement "personal data transfers can continue to be made from the EEA to the UK from 1st January 2021 for a bridging period of up to 6 months, without the need for additional safeguards."
If the UK receives an adequacy decision from the EU Commissions (i.e. a decision to the effect that the UK has adequate data security laws and standards) within that period then the bridging period will end but transfers can be made in accordance with that decision. If the UK does not receive an adequacy decision within the bridging period then transfers will be subject to additional safeguards (see below for more information).
The initial bridging period will run for 4 months from 1 January 2021 and if an adequacy decision has not been made in that time, it will automatically extend for a further 2 months (totalling 6 months overall), unless either the EU or UK object to such extension.
The UK Government has also retained the GDPR into its own domestic data protection law and this is referred to as the "UK GDPR", meaning data protection standards for international transfers and processing of personal data to and from the UK are effectively aligned with those currently set out in the EU GDPR.
The legal framework for transfers and processing of personal data to and from the UK therefore consists of:
- (EU) GDPR
- UK GDPR
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations 2003 ("PECR")
Transfers from the UK to the EEA ("Outward Transfer")
If as a business you are transferring personal data from the UK to the EEA relating to individuals who are not in the EEA, this falls out of scope of the GDPR and is therefore not regulated by it, but the UK GDPR will apply. Under the UK GDPR, such transfers from the UK to the EEA (or to countries with an existing adequacy decision) are permitted in the same way as previously (subject to the usual GDPR rules around processing, data security, legitimate interest etc.).
To the extent that the transfer of personal data from the UK to the EEA relates to a person in the EEA, the GDPR will continue to apply as normal and the transfer will be permitted in the same way as previously (again, subject to the usual GDPR rules).
Transfers of personal data from the UK to other countries (i.e. excluding to the EEA or countries with an existing adequacy decision) are restricted transfers and will require other adequate safeguards, such as Standard Contractual Clauses.
Transfers from the EEA to the UK ("Inward Transfer")
If as a business you are transferring personal data from the EEA to the UK, this is currently permitted for a period of up to 6 months under the EU-UK Trade and Cooperation Agreement, without the need for additional safeguards.
- Although the EU Commission is moving towards an adequacy decision for the UK, to the extent this has not been awarded by the end of the bridging period, alternative safeguards will need to be put in place between businesses to allow for such EEA to UK personal data transfers, such as the Standard Contractual Clauses ("SCCs").
The SCCs are a set of contractual clauses which would need to be entered into by the relevant parties and are deemed by the EU Commission to offer sufficient safeguards with regards to international transfer of personal data. In most cases, the SCCs are likely to be the most flexible option for businesses and currently, there are two kinds of SCCs available:
- for data transfers from an EU data controller to a non-EEA data controller ("DC-DC"); and
- for data transfers from an EU data controller to a non-EEA data processor ("DC-DP")
However businesses engaging in these sorts of transfers should not simply view the SCCs as a simple 'tick-box' exercise. They should also consider undertaking some form of due diligence or transfer risk assessment allowing the data exporter to verify the level of protection and make an assessment as to whether additional measures or safeguards are required to be put in place prior to making any transfers (to the UK).
Inability to comply with the SCCs would enable the data exporter to suspend the transfer in question or terminate the SCCs entirely.
As well as considering whether additional safeguards may be required for an otherwise "restricted transfer" under the GDPR or UK GDPR, businesses will need to consider whether they are required to appoint an EEA or UK GDPR Representative (as the case may be).
Generally speaking, those UK businesses who "offer goods and services" or otherwise "monitor the behaviour" of people in the EEA will, from 1 January 2021, be required to continue to comply with the GDPR and may need to appoint an EEA GDPR representative.
Conversely, those overseas businesses who "offer goods and services" or otherwise "monitor the behaviour" of people in the UK will, from 1 January 2021, be required to comply with the UK GDPR and may need to appoint a UK GDPR representative.
An EEA or UK GDPR representative could be a group or associated company but it is also possible to appoint independent third parties to act as a GDPR representative and there are commercial organisations which offer GDPR representative services.
Although the EU-UK Trade and Cooperation Agreement has confirmed that EEA-UK personal data transfers can continue for the time being without the need for additional safeguards (up to a period of 6 months from 1 January 2021), the Government has provided that as a sensible precaution, it is still recommended that UK businesses work with their EEA counterparts to put in place alternative transfer mechanisms as a means of safeguarding against any interruption to the free flow of personal data from the EEA to the UK.
As such, those businesses who entered into the SCCs or other adequate safeguards prior to the end of the Brexit transition period would not have done so in vain nor would those who are still contemplating entering into the SCCs during this bridging period.
If you would like advice with regards to your data protection obligations, please get in touch with us.