EU-UK data transfers from 1st January 2021 – where are we?

29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful. No longer a member of the EU, the UK would be a ‘third country’ for the purposes of the GDPR, and a transfer of personal data to the UK would require a valid transfer mechanism [2].

 

Still no adequacy decision for the UK…

The reason for the need for a transfer mechanism was that, contrary to pretty much everybody’s expectations (except possibly the European Commission’s), the European Commission had chosen not to make an adequacy decision in favour of the UK.  ‘Adequacy decision’ is the GDPR-prescribed mechanism which allows the European Commission to certify that a third country ensures “an adequate level of protection essentially equivalent to that ensured within the [EU]” [3], which then enables organisations in the EEA to transfer personal data to organisations in that third country as if the third country was part of the EEA [4].  In the absence of an adequacy decision, a transfer of personal data to a third country requires a transfer mechanism [5].  Although the GDPR provides for a variety of transfer mechanisms, the only practical option for most businesses is for both the data exporter and data importer to enter into a contract which incorporates the European Commission-approved Standard Contractual Clauses (SCCs) [6].

 

… plus New SCCs coming down the line

Having got that far, I then had to take a deep breath and explain to my clients that putting in place SCCs now would not be quite as straightforward as it perhaps should be.  In November 2020, the European Commission chose to publish new, updated Standard Contractual Clauses (New SCCs) for consultation  [7], with the adoption of the New SCCs expected at some point during the first quarter of 2021.  But the Commission did make it clear that data controllers will be required to upgrade any existing SCCs to the New SCCs within 12 months from the date of adoption.  Accordingly, my (increasingly incredulous) client would not only have to put in place SCCs as a matter of urgency to legitimise their EEA-UK transfers from 1st January 2021, but would then have to repeat the exercise using the New SCCs within a matter of months.

 

Early Christmas present

However, on 24th December 2020 privacy lawyers (and their clients) received an early Christmas present in the form of the announcement of the EU-UK Trade and Cooperation Agreement.  The Agreement provides that the UK’s troublesome ‘third country’ status is suspended for a period of up to six months, subject to the UK not making any changes to its data protection laws or exercising certain rights under those laws without the EU’s prior agreement [8].  Sighs of relief and extra mince pies all round – transfers of personal data from the EEA to the UK can continue without the need for SCCs (or any other transfer mechanism) until 30th June 2021, giving the European Commission plenty of time to pull out its finger and issue the UK with an adequacy decision.

 

So all sorted, one less thing to worry about?

Good question.  The six-month suspension of the UK’s third country status is clearly in expectation of the European Commission making an adequacy decision.  And it is difficult to see on what grounds the Commission could choose not to make an adequacy decision in favour of a former EU member state which is adopting the EU GDPR into its domestic law [9].  But equally, the European Commission has already had more than two years to consider the UK’s request for an adequacy decision, but without any progress.  Plus there’s nothing in the Trade and Cooperation Agreement, or anywhere else for that matter, which obliges the Commission to make an adequacy decision in favour of the UK.

The best approach is perhaps to hope for the best, but also to start planning for the worst.  As the ICO says in its statement on the Trade and Cooperation Agreement: “As a sensible precaution, before and during [the 1st January – 30th June 2021 period], the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data” [10].

 

[1] Trade and Cooperation Agreement

[2] See GDPR, Article 46.  (The GDPR refers to transfer mechanisms as ‘appropriate safeguards’.)

[3] See GDPR, Recital 104 and Article 45.

[4] The European Commission has made adequacy decisions in favour of AndorraArgentinaCanada (commercial organisations), Faroe IslandsGuernseyIsraelIsle of ManJapanJerseyNew ZealandSwitzerland and Uruguay.

[5] See GDPR, Article 46.

[6] Standard contractual clauses for data transfers between EU and non-EU  countries.

[7] Standard contractual clauses for transferring personal data to non-EU countries (implementing act)

[8] Trade and Cooperation Agreement, Article FINPROV.10A

[9] EU (Withdrawal) Act 2018

[10] ICO statement in response to UK Government’s announcement on the extended period for personal data flows

Receive email updates

Subscribe to updates on topics relevant to you. We won’t use your email address for any other purpose, and you can of course unsubscribe at any time.

Which emails would you like to receive:

I consent to my personal information being used to send me updates on the topics that I have selected.