Following the long awaited, and very last minute, Trade and Cooperation Agreement put in place between the UK and the EU on Christmas Eve we summarise the headlines concerning data transfers as from January 2021:
Transfers from UK to EEA
These will remain subject to the UK's GDPR (which is more or less identical in substance to the EU's GDPR). The UK has confirmed that such transfers are not restricted and so can continue as before without the need for any transfer mechanisms to be put in place.
Transfers from UK to third countries outside the EEA
The position remains similar to the current GDPR rules. Although the UK will in due course make its own adequacy decisions, for the time being existing EU adequacy decisions apply and the EU approved standard contractual clauses (SCCs) can continue to be used where there is no finding of adequacy.
Transfers from EEA to UK
This was the key potential sticking point: From January 2021 the UK is a "third country" so far as the EU's GDPR is concerned; therefore, transfers from the EEA to the UK would be restricted transfers. The UK had been seeking an adequacy decision from the European Commission as part of the Brexit deal to permit such transfers to continue without the need for a transfer tool to be put in place. A joint declaration published alongside the TCA made clear that the EU would undertake this adequacy assessment, albeit that this was not part of the Brexit deal. Pending this, a temporary arrangement was agreed to allow data to continue to be transferred from the EEA to the UK for the next four months (extendable to six months).
The good news is that on 19 February 2021, the EC published a press release stating that it had carefully assessed the UK's law and practice on personal data protection and concluded that the UK does ensure an "essentially equivalent" level of protection to that guaranteed under the EU GDPR. This finding is presently in draft form as it has to be submitted to the European Data Protection Board for a "non-binding opinion". The EC will then request approval from EU member states' representatives before formally adopting this adequacy decision. That should all be a formality but until then the temporary bridging mechanism continues to apply.
If adopted, the decision will be valid for an initial term of four years, only renewable if the level of protection in the UK continues to be adequate. The draft adequacy decision includes strict mechanisms for monitoring and review, suspension or withdrawal, to address any problematic future development of the UK's laws so as to no longer be bound by EU privacy rules.
The UK government has welcomed the draft (whilst critical of the delay in issuing it), urging the EU to complete the approval process swiftly.
A source of massive potential friction to data transfers has been avoided.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.