Since January 1, 2021, the UK is considered a third country regarding international transfers of data. Except for the interim period of four months set out in the EU-UK Trade and Cooperation Agreement, transfers of personal data from the EEA to the UK will be treated as a data transfer to a third country, and the transfer will need to meet the GDPR requirements for international data transfers.
If the EU does not issue an adequacy decision on the UK for the purpose of international data transfers within the next four to six months, all companies that transfer personal data to the UK will need to ensure that they have appropriate safeguards that comply with the requirements of GPDR and legitimize transfers of data to the UK.
In this short briefing, you can learn more about (i) the EU-UK Trade and Cooperation Agreement regarding data protection, (ii) the implications of non-compliant data transfers to the UK, and (iii) the GDPR requirements for international transfers of data.
Brexit: bidding farewell to the UK
From January 1, 2021, the EU and the UK form two separate markets. The movement of persons, goods and services has come to an end between these two territories. On December 24, 2020, the EU and the UK agreed the terms of a free trade agreement, a governance framework, and a citizen’s security framework.
As regards personal data protection, the EU and UK commit to uphold high levels of data protection standards, and, for a period of four to six months, an interim period allows free flow of personal data from EEA countries to the UK ensuring a transition after Brexit. This is temporary relief for businesses as a no-deal Brexit would mean new transfer mechanisms to be needed already in January 2021.
The UK issued guidance stating that EEA countries will be considered adequate for the purpose of transfers of data, so these transfers will be permitted from the UK to the EEA. But the Brexit deal leaves out the adequacy of data protection rules in the UK, so for data transfers from EEA countries to the UK to be considered legitimate, it is still necessary that the EU issues an adequacy decision under Article 45 of the GDPR.
As regards data protection, the relationship between the EU and the UK remains unchanged until 1 May 2021 (or 1 July 2021, if it is extended). For the second semester of 2021, however, and if the EU does not issue an adequacy decision, things will change.
Risks of non-compliance
Following the transition period, and unless the EU determines the level of adequacy for personal data protection in the UK, the risks of non-compliance for businesses transferring data from an EEA country to the UK are significant.
Businesses infringing provisions regarding the personal data transfers to recipients in a third country are subject to fines up to €20 million or up to 4% of their total worldwide annual turnover, whichever is higher.
Having considered the risks posed by faulty compliance with the rules governing the transfers of data to the UK after the transition period, businesses must understand the GDPR requirements for cross-border transfers and structure internal policies accordingly.
International transfers of data under the GDPR
Communication of personal data from a data permanent storage location within the EEA made available to an identified party with the sender’s knowledge or intention to give the recipient access to such personal data at destination outside of the EEA is an international transfer of data.
Under Articles 45 and 46 of the GDPR, transfers of data outside of EEA can only occur if (i) they rely on an adequacy decision of the EU or, if there is none, if (ii) there are appropriate safeguards in place, namely adequate standard contractual clauses, binding corporate rules, codes of conduct, or security certification procedures, save for any of the derogations of Article 49, and (ii) on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
An adequacy decision by the EU determines that a country outside of the EEA has an adequate level of data protection standards to the extent that data can be transferred to that country without any further safeguards. It is expected that the EU will issue an adequacy decision on the UK during the transition period, but businesses should nevertheless be prepared to put in place standard contractual clauses, corporate rules binding their group’s entities, codes of conduct and certification mechanisms in line with the EU’s standards and guidelines.
It is also useful to consider two sets of recommendations issued by EDPB on personal data transfer to third countries and related to the conclusions of the CJUE in its recent judgment C-311/18 (Schrems II). These recommendations have a special impact on measures that supplement transfer tools to ensure compliance with adequate levels of personal data protection.
Summary
For the first four months of 2021, there will be an interim period, which can be extended for an additional two months, in which transfers from EEA to the UK can occur legitimately without the requirements set out under GDPR for international data transfers.
It is noteworthy that the interim period is precarious: in case the UK changes its current legal framework on data protection, the transition period will immediately come to an end, except if previously approved by the EU. At the end of this interim period, unless the EU issues an adequacy decision on the UK data protection framework, transfers of data from an EEA country to the UK are not permitted unless appropriate safeguards are put in place in compliance with GDPR.