The UK officially leaves the EU, but what does this mean for transfers of personal data?
By Sarah Pearce, & Ashley Webber
On 24 December 2020, it was announced that the EU and the UK had finally reached a Brexit agreement (the Trade and Cooperation Agreement) and on the evening of 31 December 2020, the Brexit Transition Period officially ended. We have discussed on several occasions the effects Brexit will have on data privacy (for example, please see here), including the implementation of a UK GDPR in replacement of the GDPR and the effect on transfers of personal data from the EU to the UK. The points previously raised were discussed in the context of the end of the Transition Period being their “trigger” and, subject to the effects on data transfers (as discussed below), such points are all now very much active issues which any organisation processing personal data in the UK and EU should be aware of.
The UK GDPR
Following the end of the Transition Period, the UK is no longer subject to the GDPR. However, the UK has incorporated the GDPR into UK law to the fullest extent possible (subject to certain amendments required for the UK legal regime): the key principles and obligations of the GDPR are enshrined in the UK GDPR. This means that for any organisations processing personal data in the UK post-Brexit, the position with regard to processing UK personal data essentially remains the same as under the GDPR.
Data Transfers from the EU to the UK
As noted above, our previous discussions on the effects of Brexit on data privacy focused on the end of the Transition Period essentially being the trigger for such effects occurring. It was anticipated that from 1 January 2021, the UK would be considered a third country under the GDPR for data transfer purposes given it was no longer an EU member state. However, it was agreed in the Trade and Cooperation Agreement that, instead, the UK will be given a further “Specified Period” (i.e., a further Transition Period) with respect to data transfers: during such time the UK will not be treated as a third country. This means personal data can continue to flow freely from the EU to the UK. This Transition Period allow for the continued pursuit of a European Commission adequacy decision in favour of the UK. The “Specified Period” began on 1 January 2021 and ends either: 1) on the date on which an adequacy decision is adopted; or 2) four months after the Specified Period begins, which shall be extended by two months unless either the EU or the UK objects (i.e., no later than 1 June 2021).
This Specified Period for transfers was not something widely discussed or expected before its announcement, and therefore many organisations took steps to ensure data transfers post-Brexit would not be unlawful (e.g., implementation of Standard Contractual Clauses). It’s important to highlight that such actions were not undertaken in vain: firstly, it is not guaranteed whether an adequacy decision will in fact be granted and, if not, organisations will be required to take such actions (and act quickly to implement); and secondly, undertaking a review of international data transfers and being aware of data flows is key for compliance with data privacy laws, particularly given the impact of the decision in Schrems II in July 2020.
So what’s next?
With regard to data transfers, we find ourselves in a sort of “holding pattern” until the Specified Period ends. The ability to transfer data freely during this transition is particularly useful for those organisations that had not been prepared and not considered the impact Brexit would have on data privacy compliance; such an analysis should nevertheless be undertaken as soon as possible. Further, the potential for an adequacy decision is hopeful news as such a decision will make the flows of personal data for organisations operating in the EU and the UK significantly easier. We will continue to monitor the situation and provide updates as to its progress.