EU-UK data transfers – update

30/03/21 – As part of the Trade and Cooperation Agreement announced just before Christmas, the EU and the UK agreed a six-month ‘bridging period’ allowing transfers of personal data from the EEA to the UK to continue freely until 30^th June 2021 – more detail here.  Half-way through the bridging period is probably a good time for an update.

Update?  Didn’t I read a few weeks ago that the EU issued the UK adequacy decision, and it’s now all done and dusted?

No, not really.  What happened is that on 19^th February 2021 the European Commission issued two UK adequacy decisions (one for transfers under the GDPR, and the other for transfers under the Law Enforcement Directive), but only in draft form.  The drafts have now been passed to the European Data Protection Board (EDPB) for them to review and issue their non-binding (but influential) ‘advisory opinions’.  After the advisory opinions have been issued, and any EDPB-recommended changes have been incorporated into the text of the adequacy decisions, the drafts will then need to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’.  Once approved, the adequacy decisions can be formally adopted by the Commission, and become legally effective.

Ah, so not quite done and dusted.  Will this all be wrapped up by 30^th June?

Probably.  The good news is that the draft adequacy decisions were issued by the European Commission without any material conditions attached to them, i.e. the Commission considers that the UK’s data protection laws and systems are adequate.  Also positive was the prediction of the EU Head of International Data Flows, Bruno Gencarelli, who said in a LinkedIn webinar on 27^th January 2021 that he was confident the UK adequacy decisions would be adopted “by the end of the bridging period”.  Ditto the prediction of the EU Commissioner for Justice, Didier Reynders, who, according to Vincent Manancourt of politico.eu, said on 16^th February 2021 that the EDPB’s “opinion on UK data flows decision [is] expected mid-April […] Whole process to be wrapped up by Brussels by end of May/early June”.

Less positive were the widely-publicised comments of the UK culture secretary Oliver Dowden, who in his FT article on 27^th February said: “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word”; and that the UK can now be more “agile” when it comes to “[striking] our own international data partnerships with some of the world’s fastest growing economies. […] The EU has been slow to act on this, declaring only 12 countries ’adequate’ in the past few decades”.  Announcing the UK’s intention to diverge from the GDPR and criticising the EU’s historic approach to adopting adequacy decisions, all while the EDPB is busy considering the UK’s application, may not have been Mr Dowden’s best idea.

All very interesting, but I’ve got data flows with EU customers and other data partners which need to continue after 30^th June.  What do I need to do?

You’ve got a number of options, including:

1. Do nothing. If the GDPR adequacy decision isn’t adopted by 30^th June 2021 (and the bridging period isn’t extended), then deal with the situation on 1^st  If this option appeals, then bear in mind that although you may be willing to take a risk-based view on the legality of your post-30^th June data flows, your EEA data partner may not.
2. Put in place a valid transfer mechanism or safeguard (most likely Standard Contractual Clauses (SCCs)) ASAP, even though they may end up not being needed. This is clearly ‘best practice’, and consistent with the ICO’s recommendation:  “If you receive personal data from the EEA, we recommend you put alternative safeguards in place before the end of April”.
3. Contact each of your EEA data partners, and suggest to them that if the GDPR adequacy decision has not been adopted by say end of May, or even mid-June, then you will both work together with a view to putting in place SCCs by 30^th June.