The UK-EU Trade and Cooperation Agreement, finally signed on 30 December 2020, has provided some protection against the cliff edge of the ending of the transition period in relation to transfers of personal data from the EU/EEA to the UK. It provides for an interim period of four months (which can be extended to 6 months) as a bridge, to allow data flows to continue without interruption whilst the EU continues to consider an “adequacy” finding for the UK’s data protection regime. The effect is that during the bridging period, the UK will not be treated as a third country.
For UK to EU data flows, the position continues to be that the UK will treat the EU regime as adequate, although this remains subject to review. No additional safeguards are therefore normally going to be needed for a transfer of personal data from the UK to the EU – initially at least. Countries that have “adequacy” findings from the EU will also continue to be treated by the UK as adequate, and 11 of the 12 third countries deemed adequate by the EU are maintaining unrestricted personal data flows with the UK.
For EU to UK data flows, the bridging period is intended to allow businesses time to put in place the appropriate safeguards for personal data transfers to the UK to apply unless and until the EU determines – if it does – an adequacy finding for the UK regime.
As to the choice of safeguards, the position is unchanged by the Trade and Cooperation Agreement. The various issues that existed in relation to these safeguards continue to be problems. These include that the standard contractual clauses must be considered in the light of Schrems II, and the gaps in what processing these SCCs cover. The proposed new SCCs (to include processor to processor clauses) have been produced by the EU and are subject to consultation.
In respect of personal data transfers to the rest of the world, a safeguard (or a derogation in the applicable specific and limited circumstances) will need to be put in place for data transfers from the UK, in accordance with the provisions of the UK GDPR.
There is an oddity to be kept in mind which relates to defined “legacy data” that was acquired before the end of the transition period and processed under the EU GDPR, or is processed on the basis of the Withdrawal Agreement. This legacy data will continue to be subject to the EU GDPR (in a frozen form as it applied on 31st December) until an adequacy finding is made. Whilst the UK and EU GDPR regimes remain closely aligned, this may have limited practical effect on most UK businesses, but it will be important to be able to identify the data to which these rules apply.
Given the end of the transition period, the other key issues for UK businesses to be alert to are the ending of the ICO’s involvement in the “one stop shop” arrangements, and the need for UK businesses whose processing activities will still be subject to the application of the EU GDPR to appoint an EU based representative.
For more information, please contact the author.