The EU-UK Trade and Cooperation Agreement (TCA) came into effect on 1 January 2021, following the end of the Brexit transition period. The TCA includes important provisions that provide that personal data can continue to be freely transferred from the European Economic Area (EEA) to the United Kingdom, without any additional steps, during the ‘specified period’.
The ‘specified period’ commenced on 1 January 2021 and will end on the earlier of: (i) ‘adequacy decisions’ in relation to the UK being adopted by the European Commission; or (ii) on 1 May 2021 (which may be further extended to 1 July 2021, if neither party objects).
The specified period is intended to give the European Commission time to confer in respect of the UK ‘adequacy decisions’ under the Regulation (EU) 2016/679 (GDPR) and, in respect of transfers for law enforcement purposes, under Directive (EU) 2016/680 (Law Enforcement Directive).
In order to maintain this free-flow of personal data during the specified period, the UK must not amend its current data protection legislative regime (save for aligning UK law with relevant EU data protection law) or exercise certain ‘designated powers’ without the EU’s prior agreement. The specified period will come to a premature end if the UK does not comply with these requirements.
An adequacy decision is the ‘white-listing’ by the European Commission of a non-EEA country or organisation as an acceptable destination for transferring personal data originating from the EEA.
The general rule under the GDPR is that personal data may not be transferred to a non-EEA ‘third country’ unless an adequacy decision has been issued for that country, or some other ‘appropriate safeguard’ (for example, the Standard Contractual Clauses) or a statutory derogation is relied upon.
The countries which the European Commission currently recognises as providing adequate protection under the GDPR are: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Adequacy talks are ongoing with South Korea.
Without an adequacy decision from the European Commission, significant additional compliance burdens would arise for EEA businesses transferring personal data to the UK.
Can we expect an adequacy decision for the UK before the specified period ends?
The TCA makes reference to adequacy decisions for the UK, and it is expected that the European Commission will shortly commence the procedure for the adoption of adequacy decisions for the UK under the GDPR and the Law Enforcement Directive.
However, it is not certain that these adequacy decisions will be in place before the specified period ends. On this basis, organisations should put contingency plans in place in advance of 1 May 2021 to ensure their current data flows may lawfully continue if the UK is not granted adequacy.
In the absence of adequacy decisions at the end of the specified period, and unless a statutory derogation is available, personal data governed by the GDPR should only be transferred to a non-EEA ‘third country’ or international organisation if ‘appropriate safeguards’ are in place and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
For the majority of organisations, the most relevant ‘safeguard’ is the Standard Contractual Clauses (SCCs). These are model data protection clauses that have been approved by the European Commission and enable the transfer of personal data to a third country when executed by the relevant parties. The SCCs contain contractual obligations on the controller (data exporter) and the processor or controller located outside of the EEA (data importer), and rights for the individuals whose personal data is transferred.
There are two sets of SCCs for restricted transfers between a controller and controller, and one set between a controller and processor. However, each of these SCCs were developed under the pre-GDPR EU data protection regime and do not cover what are now common types data flows, for example where an EEA processor must transfer personal data to a non-EEA controller. Also, the Court of Justice of the European Union’s (CJEU) decision in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (C-311/18) (Schrems II) has introduced greater complexity in respect of the use of these SCCs.
Against this backdrop, the European Commission published for public consultation draft new standard contractual clauses for the transfer of personal data to third countries, pursuant to the GDPR. The period of public consultation is closed. The draft new SCCs will undergo assessment by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) before adoption by the European Commission through an implementing decision. The implementing decision, once adopted, will repeal all current forms of SCCs and provide organisations with a one year grace period to implement the new SCCs.
The UK government has stated that transfers from the UK to the EEA are not restricted, so data flowing from the UK to the EEA will continue as normal after the specified period without any additional steps. However, this position will be subject to review by the UK government in the future.
The EU’s agreement to delay data transfer restrictions is welcome news for businesses – particularly for those which did not put in place alternative data transfer safeguards before 31 December 2020. However, notwithstanding the European Commission’s plans to adopt adequacy decisions during the specified period, a UK adequacy decision before 1 May 2021 is not guaranteed, so businesses in the EEA and the UK should establish their own contingency plans to ensure they can continue their expected data flows in any event.
For a lot of businesses, this will involve taking steps now to have the SCCs agreed in advance of this date in case the SCCs must be relied upon. Existing contracts can be modified to provide the SCCs will apply at the end of the specified period if no adequacy decision is in place at that time. As said earlier in this article, there will be a one year grace period to implement the ‘new SCCs’ once the European Commission’s implementing decision is entered into force, so some businesses may decide to agree the current form of SCCs now and implement the ‘new SCCs’ at a later date. However, this is likely to be a cumbersome approach and so most businesses will likely choose to wait for the adoption of new SCCs – particularly in circumstances where a business needs to use the ‘processor-to-processor’ or ‘processor-to-controller’ modules that will be introduced under the new SCCs.
With effect from 1 January 2021, the UK has adopted its own UK version of the GDPR, which applies in the UK separate from the GDPR. EEA controllers and processors should analyse their privacy structures and processing activities to identify whether and to the extent they must now comply with UK data protection laws, which like the GDPR, have extra-territorial effect. An immediate requirement for some EEA controllers and processors may be to appoint a data protection representative in the UK.
In respect of data transfers to the UK, and wider compliance with applicable data protection laws, it should be remembered that the GDPR’s restrictions on data transfers apply equally to transfers of personal data within the same corporate group. Businesses should analyse their intra-group cross border data transfers as well as those to and from their customers and service providers.
The absence of a guarantee that the UK will have an adequacy decision before 1 May 2021, together with the uncertainty surrounding the use of the current forms of SCCs following the CJEU’s Schrems II decision, means that the complex area of data transfers will remain a hot topic over the coming months, which should be closely watched by controllers and processors in the EEA and the UK.
We regularly publish useful content on a wide range of legal and business topics. Please click the button below if you would like to receive these by email.Subscribe