On 24th December 2020, the UK and the EU finally agreed on the terms of a Brexit deal, including an interim solution to the issue of personal data transfers from the EU to the UK. This interim arrangement gives some much-needed breathing space to European organizations with UK affiliates or that use UK service providers, and renewed hope for an eventual adequacy decision from the European Commission covering transfers of personal data to the UK.
The interim solution agreed allows companies and organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to approve an adequacy decision in favour of the UK (under Article 36(3) of Directive (EU) 2016/680 and under Article 45(3) of Regulation (EU) 2016/679).
The relevant terms are set out in the EU-UK Trade and Cooperation Agreement (‘Agreement’) in Article FINPROV.10A (which starts at page 406 of the 1246 page document), which is also summarised by the UK government here. The key points to note are as follows:
- During the extension period, transfers of personal data from the EU to the UK will not be considered transfers to a ‘third country’ (provided that the UK’s data protection law remains the same as it is as of 31 December 2020);
- The same applies to transfers from Norway, Liechtenstein and Iceland (the additional countries, which with the EU, form the European Economic Area (EEA));
- The initial four-month extension period will end when adequacy is granted, or may be extended by two further months unless the UK or EU objects;
- If the UK amends its data protection legislation, or exercises certain designated powers without EU agreement during the extension period, the extension period will end.
The ICO has also issued a statement on the Agreement, including an encouraging quote from Commissioner Elizabeth Denham confirming
This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.
The Commissioner’s statement also contains a note of caution, however, reminding us that adequacy is not guaranteed: “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.” In an ideal world, if there is no adequacy finding, and businesses need to revert to using SCCs, the newly drafted versions (currently awaiting approval) could potentially be used at that time instead of producing drafts based on the existing SCCs now, only to revise them later. There is also the potential for UK versions of SCCs, but let’s not complicate it further.
As we have previously reported, transfers of personal data in the reverse direction, from the UK to the EU, can also continue without interruption, as the UK had already recognised the adequacy of Europe’s data protection standards.
This interim agreement at least temporarily resolves the problem of the UK being considered by the EU as a third country, for personal data transfer purposes, but businesses will still need to address other issues created by Brexit, including privacy notice updates and the appointment of an EU representative where necessary. Please get in touch with your usual SPB contact or any member of our Data Privacy and Cybersecurity team for further assistance on these requirements.