Brexit and the transfer of personal data
On 24 December 2020, the European Union and the United Kingdom (‘UK’) reached an agreement on the "UK-EU Trade and Cooperation Agreement" (‘Trade Agreement’) which entered into force on 1 January 2021. This is, therefore, a good time to take stock: how do things stand with the transfer of personal data to companies in the UK almost a year after Brexit?
Transfer to the UK
The UK has not been part of the EU since 1 February 2020. Under the EU-UK Withdrawal Agreement, personal data could still be shared freely with organisations in the UK. On 31 January 2021, however, that agreement came to an end. As a result, some tense moments remained at the end of last year, waiting to see whether it would still be able to share personal data freely with the UK in 2021 under the General Data Protection Regulation (‘GDPR’). After all, the GDPR imposes strict requirements on the transfer of personal data to countries outside the EU. Personal data may be transferred if the European Commission has ruled that a particular country offers an adequate level of protection of personal data (‘Adequacy Decision’). However, no such Adequacy Decision has yet been made regarding the UK. This means that personal data may only be exchanged if there are appropriate safeguards in place. Appropriate safeguards may include, for example, the conclusion of standard data protection clauses adopted by the European Commission (‘Model Clauses’) with the organisation in the UK or a transfer between group entities on the grounds of binding corporate rules (‘BCRs’). This means that if, after the end of the EU-UK Withdrawal Agreement, there hadn’t been a deal between the UK and the EU, organisations would not be allowed to transfer personal data without further appropriate safeguards, such as Model Clauses or BCRs, in place. Only in case of occasional transfers in specific situations exceptions exist under the GDPR.
The current agreement
Under the new Trade Agreement, the UK is not yet considered a ‘third country’ within the meaning of the GDPR, which means that personal data may still be transferred to companies in the UK until an Adequacy Decision has been issued by the European Commission or the expiry of four months, whichever is the earlier. This four-month period is automatically extended by another two months, unless the EU or the UK objects to such extension. In practical terms, the Trade Agreement therefore appears to extend the pre-2021 situation by six months, up to 30 June 2021.
Consequences of the Trade Agreement for transfers
The effect of the Trade Agreement is that for the next four (and probably six) months, organisations will be allowed to transfer personal data to organisations in the UK without taking any further safeguards. In addition, it is expected that an Adequacy Decision will be issued before 30 June 2021, which means even after this date, little will change for such organisations. However, if an Adequacy Decision is not issued in time, organisations will have to put appropriate safeguards in place. In that context, it is recommended to take such a situation already into account when concluding agreements and to put appropriate safeguards in place.
Naturally, we monitor developments closely and are available for questions about, or support in contracting with, parties that transfer personal data to the UK.
This is a Legal Update by Elze 't Hart.