Brexit: Welcome reprieve for data transfers from the EEA to the UK
For further information on any of the issues discussed in this publication please contact the related contact(s) on this page.
Background
At 23.00 (GMT) on 31 December 2020, the transition period agreed under the Withdrawal Agreement between the EU and the UK expired. From that point, Regulation (EU) 2016/679, (the “GDPR”) ceased to have direct effect in the UK. Whilst the UK has onshored much of the existing EU GDPR legislation into UK legislation (“UK GDPR”) the European Commission has not yet adopted an adequacy decision in relation to the UK’s data protection regime.
As a result, any transfers of personal data from any EEA Member State to the United Kingdom from 1 January 2021 onwards constitutes a “third country” transfer which ordinarily requires EEA data controllers and EEA data processors to implement certain additional safeguards in order to ensure an adequate level of protection of personal data of EEA data subjects, the most common of which is the use of “Standard Contractual Clauses”.
EU-UK trade cooperation agreement
Under the EU-UK Trade and Cooperation Agreement (the “Agreement”) concluded on 24 December 2020, a “grace period” during which the transfers of personal data from EEA Member States to the UK will not be considered a “third country” transfer under the GDPR was agreed. The Agreement provides that the specified period will last for no longer than six months from 31 December 2020.
This means that during the specified period, personal data can continue to flow from the EEA to the United Kingdom without any additional safeguards such as Standard Contractual Clauses being required. This is subject to an important caveat: if, during this period, the United Kingdom amends the data protection laws it has in place on 31 December 2020, or exercises certain powers under the Data Protection Act 2018 or the UK GDPR without the agreement of the EU Partnership Council, the specified period shall automatically end.
It is interesting to note that the Irish Data Protection Commission has indicated on its website, post Agreement, that it believes that the European Commission plans to adopt an adequacy decision in relation to the United Kingdom within the specified period. However the UK Government has indicated on its updated website page that: “As a sensible precaution, before and during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.”
If an adequacy decision in relation to the United Kingdom is announced by the European Commission, this will mean personal data can continue to flow from the EEA to the United Kingdom without any further safeguard being necessary after the expiry of the specified period.
The United Kingdom has also confirmed that it has, on a transitional basis, deemed EEA Member States and those other countries which, as at 31 December 2020, were covered by a European Commission ‘adequacy decision’, to be adequate to allow for data flows from the UK without any additional safeguards being required.
UK controllers and processors – compliance with GDPR and the potential need for an EEA representative
While the grace period gives some breathing room for transfers of personal data from the EEA to the UK, UK data controllers and UK data processors, by reason of the application of Article 3(2) and Article 27 of the GDPR, may still need to comply with the provisions of GDPR and appoint a representative in the EEA, if such UK controller or processor is offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA. Any UK controller or processor of personal data of EEA data subjects may wish therefore to carry out an assessment of its processing activities to determine whether it could fall within the scope of such provisions.
Equally Irish controllers and processors may wish to consider if equivalent obligations arise for any processing of personal data of UK data subjects under the UK GDPR.
DISCLAIMER: This document is for information purposes only and does not purport to represent legal advice. If you have any queries or would like further information relating to any of the above matters, please refer to the contacts above or your usual contact in Dillon Eustace.
Copyright Notice: © 2024 Dillon Eustace LLP. All rights reserved.