Earlier we wrote about the consequences for the transfer of personal data to (organisations in) the UK in the event of a no-deal-Brexit. It is now known that a deal has been concluded between the EU and the UK. Below we will explain what has been agreed on the transfer of personal data since 1 January 2021.
UK as a third country?
Since the transition period officially ended on 31 December 2020, the UK became a ‘third country’ in the terminology of the General Data Protection Regulation (‘GDPR’) as of 1 January 2021. In principle additional safeguards must be put in place when personal data are being transferred to third countries (non-EEA countries), unless an adequacy decision has been issued by the European Commission. Such a decision will be issued if the country in question offers a level of protection which is equivalent to the GDPR. To date, the European Commission has not issued an adequacy decision for the UK.
As part of the Brexit deal, the EU and the UK have agreed that the transfer of personal data to the UK should not be regarded as a transfer of personal data to a third country. This situation will continue until 1 May 2021 unless an adequacy decision has been taken previously by the European Commission. If this has not been done by 1 May 2021, the previous agreement will be automatically extended until 1 July 2021 unless either party objects to this. This is subject to the UK leaving its personal data protection laws and regulations unchanged during this period.
Thus organisations can, in principle, continue to exchange personal data with parties in the UK until 1 May 2021 in the same way as before the UK’s withdrawal from the EU. For the time being, it is not clear what the situation will be like after that date.
What to do?
If your organisation exchanges personal data with (parties in the) UK, we advise you to prepare for the scenario that no adequacy decision will be issued. This would mean that the rules regarding the transfer of personal data to third countries as included in the GDPR will eventually also apply to data transfers to the UK.
We therefore advise you to identify in detail which personal data you are transferring to which parties in the UK and what agreements have currently been made in this regard. Keep those agreements under review and consider whether, and if so how, those agreements will have to be amended from 1 May 2021, or 1 July 2021 respectively (in case of an extension), in order to guarantee a legally valid transfer.
For most organisations, the conclusion of so-called EU Standard Contract Clauses (‘SSCs’) will be the most obvious solution if no adequacy decision will be issued in the end. The existing SSCs are currently being revised. A draft version of the new SSCs was published on 12 November 2020 and the consultation is now closed. Although a final version of the revised SSCs is expected to be published in the first half of 2021, it is not certain whether this will be before 1 May 2021 or 1 July 2021. It is therefore possible that the existing SSCs will have to be concluded in order to prevent a transfer of personal data to the UK that is not legally valid after the transitional period.
Furthermore, last summer’s Schrems II-judgment made it clear that simply signing the SSCs is not enough. First, a so-called data transfer impact assessment will have to be carried out. In short, this means that the data exporter will have to assess whether all rights and obligations included in the SSCs can actually be complied with by the data importer. To this end, one of the issues to be considered is the British legislation and regulations applicable to the specific transfer. In addition, such assessment should be carefully documented and provided to the regulator upon request. It is therefore important to keep an eye on whether the UK will change its privacy and data protection laws and regulations in the meantime.
All these uncertainties do not make it easy for organisations to prepare for a legally valid transfer of personal data to the UK after the transition period.