The recently agreed UK-EU Trade and Cooperation Agreement (TCA) will allow personal data to continue to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, which has been agreed at no more than 6 months. What this does is enable businesses across all sectors to continue to freely receive data from the EU (and EEA). It also means that after six months a permanent decision on adequacy will be made.
UK data protection law has been governed by the EU’s General Data Protection Regulation (GDPR), since it came into effect across all EU member states (including the UK) on 25 May 2018. The GDPR created a harmonised legal framework regulating the way in which personal data is collected, used and shared throughout the EU.
On 1 January 2021 (exit day), the GDPR ceased to have direct effect in the UK. However, as the UK is committed to maintaining an equivalent data protection regime, a UK version of the GDPR (UK-GDPR) will apply from that date. The UK-GDPR is established by the European Union (Withdrawal) Act 2018, which incorporates the body of EU law (including the GDPR) as it exists on exit-day, into UK law thereafter.
This UK-GDPR will carry across much of the existing GDPR legislation, but will apply as an independent law, outside the harmonized regime we have become used to under the GDPR. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (EU Exit Regulations) applies a number of necessary changes to the GDPR to make it relevant to the UK following departure from the EU – for example to remove references to cross-border data transfers with other Member States and participation in EU wide-institutions such as the European Data Protection Board. The EU Exit Regulations also sets out the arrangements for the UK to adopt its own adequacy decisions and contractual safeguards for data transfers.
The UK’s Data Protection Act 2018 remains in place with some amendments, effectively subordinate to the UK-GDPR.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 will remain in place but will now refer to the UK-GDPR.
Organisations operating in both trading areas will need to be ready to manage privacy compliance under what will become two separate (albeit more or less parallel) legal and regulatory enforcement regimes and structure their privacy and compliance structures accordingly.
The GDPR imposes restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from an adequacy decision. However, the EU Exit Regulations:
- effectively grant interim adequacy decisions in favour of all the EEA member states. Therefore, UK organisations may continue to be able to send personal data to organisations in the EEA; and
- allow UK organisations to continue to rely on the 13 existing adequacy decisions adopted by the EU, which allow data to be transferred to countries previously deemed as adequate (e.g. New Zealand, Israel, Channel Islands).
These arrangements are intended to be temporary measures, and in time the UK is expected to conduct its own adequacy assessments (including of all EU member states). However, in the interim they provide welcome continuity and certainty.
Until the TCA was published, there was considerable uncertainty about what would happen, with a ‘no deal’ scenario preventing organisations from transferring data from into the UK without adopting Standard Contractual Clauses (SCCs) and conducting transfer impact assessments for each data transfer.
The TCA resolves this by making it lawful to transfer personal data from the EU-UK for a period of up to six months from 1 January 2021. This ‘bridging’ period is designed to allow the EU time needed to adopt a formal adequacy decision which will allow the continuing flow of personal data to the UK at least for an interim period (this is subject to the UK holding back from adopting any of its’ own adequacy decisions or approving any new SCCs, that go beyond those already approved by the EU, without prior EU approval).
An EU-UK Joint Declaration, published alongside the TCA, includes a clear commitment from the EU to secure a favourable adequacy decision for the UK within the near term. Although the EU-UK Joint Declaration is not legally binding, the commitments that have been made, alongside the six-month bridging period in the trade agreement, will give sufficient confidence to anticipate adequacy will be resolved shortly.
Areas to consider
As well as managing cross-border data transfers, firms should ensure that all references in governance records, contracts and transparency notices to the EU/EEA are updated to reflect the post-Brexit position of the UK being outside the EU. This may require changes to:
- Records of processing activities, insofar as these are impacted by Brexit;
- Privacy Notices, which should refer to any data transfers to ‘third countries’;
- Data Protection Impact Assessments (DPIA), which may need to be updated if they refer to a transfer which becomes a transfer to a ‘third country’ on exit-date; and
- Contracts with third parties, if they include specific reference to the GDPR, EEA or anticipate a data transfer between the EU and the UK.
Help and Advice
If your firm requires any assistance in understanding the implications of the potential changes to your data protection obligations, please do not hesitate to contact us.