The UK finally left the EU at midnight on 31st December 2020. What does that mean for the transfer of personal data between the UK and the remaining countries in the EU? As ever, the position is not straightforward.
When the UK was a member of the EU, and during the Brexit Transition Period, personal data could be transferred between organisations within the European Economic Area (EEA), provided that there was a legal basis for doing so under the General Data Protection Regulation 2016/679 (GDPR). Transfers outside the EEA were only permitted if:
- The European Commission was satisfied that the data protection laws in the country of the recipient were adequate and that there was a “declaration of adequacy” for such country.
- The parties used the standard contractual clauses published by the European Commission, which were designed to protect the data.
- The parties had adopted the binding corporate rules, approved, in the UK, by the ICO.
- The transfer fell within one of the derogations set out in the GDPR, which were intended to be used only in exceptional circumstances and not as a matter of routine.
What is the UK’s status after 31st December 2020?
It is a “third country” and the EU has not made a declaration of adequacy, possibly because of concerns about how the UK may amend its data protection laws. The position is further complicated because of the judgment of the European Court in the summer in a case known as Schrems II, which cast doubt on the validity of the standard contractual clauses.
All is not lost however because the importance of the flow of data was recognised in the UK-EU Trade and Cooperation Agreement. For data protection purposes, the UK will be treated like an EU member for a “Specified Period” provided that it
- continues to implement the GDPR;
- does not amend the Data Protection Act 2018;
- does not publish its own standard contractual clauses;
- does not approve its own Code of Conduct for the international transfer of data; and
- does not use certain designated powers relating to data protection without the consent of the EU.
The Specified Period is four months, which will be extended for a further period of two months unless either the UK or the EU objects. It will come to an end if the UK breaches the conditions or the EU makes a declaration of adequacy.
Meanwhile, the UK has already decided that data can be transferred to EU countries on the same terms as it can be transferred within the UK.
The net result is that data can be transferred between the UK and the EU member states in the same way as it was before 31st December 2020 but if there is no declaration of adequacy by the EU within the Specified Period, businesses may be facing another cliff edge, when data can be transferred from the UK to the EU but not from the EU to the UK – unless of course, the UK asks for an extension!!
Businesses that rely on data from the EU will have to be alert to developments during the Specified Period and any additional requirements that may be placed upon them such as the appointment of a representative in the EU if they collect the personal data of EU citizens.