The EU-UK Trade and Cooperation Agreement was announced on 24 December 2020. The good news for any organisations transferring personal data from the EU to the UK is that a further transitionary period has been introduced, pending the Commission's completion of its adequacy assessment.
However, there is still no certainty that an adequacy decision will be made and organisations should ensure that they have identified what steps may be necessary to enable transfers of personal data to continue.
Upon the expiry of the post-Brexit transition period, the UK became a third country for the purposes of EU data protection law. This means transfers of personal data from the EU/EEA to the UK are transfers to a third country and subject to Chapter V of GDPR. In the absence of an adequacy decision from the European Commission, organisations transferring personal data from the EU/EEA to the UK would need to use appropriate safeguards (for example, standard contractual clauses (SCCs) or binding corporate rules) or identify an appropriate derogation under Article 49.
While the Commission commenced its adequacy assessment process in Spring 2020, that process is still ongoing. As we got closer to the end of the post-Brexit transition period, organisations were advised to assess their EU/UK data transfers and take action to ensure that the transfers could continue if no adequacy decision had been made by 31 December.
In most cases, this meant putting in place SCCs between the data exporter and data importer. This process was complicated by the Schrems II decision, which means data exporters need to undertake additional diligence and may need to put in place supplementary measures.
What does the Trade and Cooperation Agreement say on data EU-UK transfers?
The Trade and Cooperation Agreement introduces a four month transitionary period (extendable to six months) from 1 January 2021, during which a transfer of personal data from the EU/EEA to the UK will not be considered as a transfer of personal data to a third country. This means organisations transferring personal data to the UK during the transitionary period do not need to put in place SCCs or other appropriate safeguards.
During the transitionary period it is anticipated that the Commission will complete its adequacy assessment.
If the assessment is positive, then no additional steps will be required for transfers of personal data from the EU/EEA to the UK. If the assessment is negative, then SCCs or other appropriate safeguards will be required from the end of the transitionary period.
While the fact that the EU and the UK reached an agreement on the Trade and Cooperation Agreement and a transitionary period has been included may suggest that an adequacy decision is likely, it is by no means certain. If granted, this would be the first adequacy decision since Schrems II, and the Commission will need to satisfy itself that UK surveillance laws are compatible with EU law and that UK rules on surveillance and bulk data collection are justified.
Organisations involved in EU/UK data transfers should therefore still ensure that they have identified all such transfers and the steps that they will take if the outcome of the adequacy assessment is not positive (including any Schrems II supplementary measures).
Does this delay the extra-territorial application of GDPR to UK based organisations?
No. Article FINPROV.10A of the Trade and Cooperation Agreement applies only to the provisions of GDPR dealing with transfers of personal data to third countries under Chapter V of GDPR.
It does not delay the application of Article 3(2) of GDPR to organisations established in the UK. Organisations that act as a controller or processor where processing activities relate to offering goods or services to data subjects in the EU/EEA or monitoring their behaviour will continue to be subject to GDPR.
This means that their processing activities may be subject to dual regulation under both UK data protection law and GDPR, and there may be a requirement to appoint a representative in the EU.
You can find out more in our Guide to Data Protection and the End of the Post-Brexit Transition Period.
What else should we be doing?
All organisations should review and update their privacy notices, internal policies and procedures and records of processing activities to ensure that they are up to date.
For example, if the processing that an organisation undertakes is subject only to UK data protection law, references to EU law and transfers outside the EEA should be removed and replaced with references to UK law and transfers outside the UK. Transfers to the EEA should be recorded alongside other international transfers of personal data.
If organisations are dual regulated, then policies and procedures and records should be updated to reflect this.
If you have not yet started this exercise, our top five steps is a good place to start.
If you would like to discuss how Brodies can help your organisation prepare for the end of the post-Brexit transition period or the impact of Schrems II on data transfers, please contact Martin Sloan or Grant Campbell.