With the Trade and Cooperation Agreement (the Trade Deal) now concluded between the EU and the UK, we may be edging closer to something resembling certainty for data protection in the UK. This short note highlights the key points.
- Data Flows
Whilst there is no permanent solution to allow unrestricted data transfers between the EU and UK just yet, there is some positive news here. The free flow of personal data from the EU to the UK can continue for a further 6 months from 1 January 2021 (or 4 months if either party objects). This is intended to provide enough time for the European Commission to put in place an ‘adequacy decision’ that will allow this free flow of data to continue on a more permanent basis.
Whilst adequacy is not guaranteed for the UK, the Trade Deal does pave the way for approval. If adequacy for the UK is confirmed, the more complex administrative measures (such as adopting standard contractual clauses and, in the wake of the Schrems II case, transfer risk assessments) would not be necessary for transfers of personal data from the EU to the UK.
The UK has adopted the EU’s existing data transfer rules for other third countries, meaning that any international data transfers from the UK to, say, the US or to New Zealand can continue on the same basis as before (e.g. using those examples, standard contractual clauses for transfers to the US and relying on the existing adequacy decision for New Zealand). Additionally, any data transfers from the UK to the EU can continue without any legal restrictions.
2. Status of the GDPR
Tied to the above, and as we have known for some time, the GDPR is still going to provide the basis for data protection law in the UK for the foreseeable future. As of 1 January 2021, the GDPR was ‘copied and pasted’ into UK law to become the UK GDPR (as distinct from the EU GDPR which remains the law in the remaining European Union Member States). As we have blogged previously, for organisations which operate in the UK and the EU, they will need to consider whether both, broadly overlapping but still separate, legal regimes apply to their activities.
Whilst, over time, the UK could move away from the GDPR and make changes to its data protection rules, the Trade Deal incudes some specific safeguards which make this unlikely in the short to medium term. For instance, the Trade Deal protects the core GDPR definitions of ‘personal data’ and ‘data subjects’ to ensure that the UK does not narrow its protections (for example, limiting its application to just UK nationals).
What practical steps should we take now?
1. The GDPR now applies in the UK as the ‘UK GDPR’. Check policies and contracts to ensure that they reflect the fact that the UK is no longer part of the EU (for example, references to the EU or EEA becoming references to the UK, and references to the GDPR becoming references to the UK GDPR).
2. Consider whether your organisation needs to comply with both the UK GDPR and the EU GDPR and what this means in practice – for example, do you need to appoint a representative in the EU? If you have a broader presence in the EU and had relied on the UK’s Information Commissioner’s Office as your ‘lead authority’ under the GDPR, you will need to consider appointing a lead authority in the EU instead.
3. Keep an eye on the 1 July 2021 and any announcements before then regarding EU-UK adequacy decisions to ensure no further measures are needed for data transfers. It would be prudent to have a good overview of your key data flows from the EU into the UK in case there is no adequacy decision and you need to put in place another mechanism (such as standard contractual clauses) to ensure the data transfers remain lawful.