On 1 January 2021, the United Kingdom officially ended its 47-year membership of the European Union. As part of the UK’s withdrawal from the EU, the parties negotiated and signed a settlement agreement on 24 December 2020, known as the EU-UK Trade and Cooperation Agreement (the “Agreement”). The key aim of the Agreement is to maintain – as much as possible – a frictionless trade of goods, services and data so as to limit the disruption that would otherwise affect businesses and organisations across the UK and the EU. The Agreement also regulates data protection, bringing much-needed clarity regarding the short, medium, and long-term outlook on data transfers between the EU and the UK.
As of 1 January 2021, Regulation (EU) 2016/679 (EU General Data Protection Regulation – EU GDPR) ceased to apply in the UK, and as a result the UK is now a third country for purposes of the transfer of data originating in the EU. Under the EU GDPR, international data transfers from the EU to a third country require a legitimate transfer mechanism in the form of:
- an ‘adequacy Decision’ from the European Commission;
- an adequate ‘appropriate safeguard tool’ (Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), etc.); or
- the reliance of an adequate derogation (explicit consent of the individual, public interest, etc.).
The outcome of the negotiation
As part of the Agreement, a four-month ‘transition period’ beginning on 1 January 2021 and extendable to six months allows for data to be transferred freely between the EU and the UK. The transition period will allow time for the European Commission to undertake an adequacy assessment of the UK data protection regime.
As a corollary to the Agreement, a number of political declarations were issued at the end of the year. One such declaration drafted between the EU and UK concurred that an adequacy regime is in the interests of both parties.
Impact on EU and UK organisations
Until an adequacy Decision is issued by the European Commission and the transition period remains in place, the free flow of data between the EU and the UK may continue unhindered.
The UK and a number of EU National Supervisory authorities have released statements to this effect and, therefore, business may continue as usual and there will be no requirement for organisations to adopt additional safeguards into contracts for the transfer of data to and from the EU (i.e., no SCCs are required for now).
It should be noted that the Transition Period is subject to the UK maintaining its current data protection regime (UK-GDPR, Data Protection Act 2018, PECR) and ensuring that it applies to all data transferred into the UK. If the UK deviates from the current regime, alternative transfer tools may need to be adopted. However, given the positive developments in the negotiations, there is hope that an adequacy Decision will be obtained before the end of June and, as a consequence, little will change in the daily data protection practices of UK and EU organisations.
Developments should be monitored closely and, in the event that, either the UK does not receive a favourable adequacy decision before the end of June 2021, or the current circumstances change, contingencies will need to be considered and alternative mechanisms may need to be adopted to ensure data transfers are appropriately managed.
The Trilateral Research Data Protection and Cyber-risk team has extensive experience helping organisation’s establish processes and procedures for ongoing compliance. We offer data governance services that can help your organisation develop policies and procedures for ongoing compliance. Trilateral can help audit existing practices, perform gap analyses, and offer compliance support to ensure your organisation is compliant during, and after the Brexit transition. Please feel free to contact our advisors, who would be more than happy to help.
