Brexit Deal: UK–EEA free flow of data to continue for up to six months

The UK and EU reached a Trade and Cooperation Agreement on 24 December 2020 (more commonly known as the “Brexit deal”). While the media focussed mainly on trade arrangements, the deal contains important provisions on data transfers.

The deal extends the free flow of personal data between the EEA and the UK for up to six months from 1 January 2021. 

Brexit deal and the data transfer problem

The Brexit transition period ended at 11:00pm on 31 December 2020. The UK was therefore due to become a “third country” for EEA data privacy matters. This means additional safeguards would have been required to transfer data from the EEA to the UK (such as Standard Contractual Clauses or Binding Corporate Rules), a position further complicated by the Schrems II decision in 2020. 

Prior to 31 December 2020, the UK had separately recognised that the EEA uses adequate personal data safeguards (albeit stating this would be kept under review), so no additional measures are currently needed to transfer data from the UK to the EEA.

However, the EU has yet to give the UK an adequacy decision which would permit free flowing international transfers of personal data from the EEA to the UK.

Temporary solution

The Trade and Cooperation Agreement does not contain an adequacy decision for the UK – this is a separate process. However, it provides a temporary solution. 

The Trade and Cooperation Agreement outlines that personal data transferred from the EU (and EEA nations) to the UK is not considered a transfer to a third country under EU law. Therefore, the GDPR’s additional safeguards required for data transfers to a third country do not come into effect immediately.

This Agreement will continue for four months, to be extended to six months unless one party objects or an adequacy decision is reached sooner. In practice, the arrangement is therefore likely to last six months.

As a pre-condition, the UK has agreed that it will not (i) change its data protection laws from those in place on 31 December 2020; or (ii) exercise certain "designated powers" relating to international transfers without the EU's agreement. 

If the UK changes its data protection laws (other than to align with updates to EU data protection law), or exercises any of these designated powers without consent, the interim period will automatically come to an end.

Adequacy decision

The six-month period gives a short window for the EU and UK to adopt adequacy decisions (the UK currently recognises the EEA as giving adequate levels of data protection, but it is not mutual and could always change). However, adequacy decisions are not guaranteed, and organisations should keep watch for further developments. 

Comment

This solution, albeit only short term, is welcome. It avoids a last-minute scramble from controllers to implement the necessary safeguards following the end of the transition period. 

The ICO released a statement on 28 December 2020. It welcomed the news and recommends, as a sensible precaution, businesses work with EU and EEA organisations who transfer personal data to them and put in place alternative transfer mechanisms (for example Standard Contractual Clauses), to safeguard against any interruption to the free flow of EU to UK personal data. 

While we await the EU Commission’s decision on adequacy, other GDPR requirements impacted by Brexit are not contained in the Trade and Cooperation Agreement, such as the need to appoint an EEA representative (unless you have an entity already based in the EEA that can take on that role) and to re-evaluate who is an organisation’s lead supervisory authority.

We will keep you updated on further developments. Please contact a member of our data protection team for further information.