In a spectacular display of brinkmanship, the UK agreed a trade deal with the EU 27 at the eleventh hour, prompting a collective sigh of relief on both sides of the Channel. Although tariff and quota-free trade is the most notable aspect of the 1265 page EU – UK Trade and Cooperation Agreement (TCA), it does cover a number of other areas including trade in services, including digital of which data protection forms a part. As we have mentioned in a previous article, the Information Commissioner’s Office (ICO) had already confirmed those organisations already complying with the GDPR should be in a good position to comply with the post-Brexit data protection regime. We now have further clarification on how the two-way transfer of personal data between the UK and EEA will be governed over the coming months.
Six month transition period in place
Although the UK is now considered to be a ‘third country’ under the EU GDPR, both sides have agreed a transition period until 30 April (which can be extended to 30 June by mutual agreement) during which time data transfers between the UK and EEA can continue as at present – providing the UK does not amend its data legislation (which is unlikely). This means that UK businesses can continue to receive and send personal data from and to the EU during this transitional period on the assumption, of course, that they are compliant with current legislation. This transitional period will be used by the EU to determine whether or not the UK provides an adequate level of data protection. If the EU makes an adequacy decision in favour of the UK (which is likely given that the government has stated that it is not seeking to move away from the current legal framework) then personal data can continue to be transferred to the UK from the EEA without the need for additional safeguards.
For those businesses that are already EU GDPR compliant (which should be the case for those regularly transferring or receiving transferred data) or for those that do not transfer data outside the UK, there is nothing else, at the moment, that they need to do. The UK government has already confirmed that there will be no restrictions on personal data being transferred to the EEA at the end of this transition period, although this will be subject to review. If the EU determines that the UK level of data protection is inadequate, then it will seek further safeguards including contractual obligations to protect personal data transfers which, for most businesses, means the adoption of Standard Contractual Clauses (SCC) which we have considered in more detail in a previous article. In the absence of either an adequacy decision or safeguards, some organisations may be able to rely on certain exemptions, depending on their reasons for processing personal data (such as law enforcement), which are explained on the ICO website.
EU adequacy decision awaited
Given that the GDPR is already incorporated into UK law and that the government has repeatedly confirmed that it has no intention of diluting our data protection laws, there is no reason to suspect that the EU will not make an adequacy decision in our favour. Nonetheless, if your business relies on personal data being transferred from EEA countries (the EU 27 plus Norway, Iceland and Liechtenstein) then there are a number of steps you need to take to determine that you are fully compliant with the existing legislation and that you have appropriate safeguards in place, such as the SCC. We have been advising businesses on their data protection obligations and how to comply with data protection law for several years. Please get in touch if you need help navigating the six-month transition period and beyond.