On 24 December 2020, the European Union (“EU”) and the United Kingdom (“UK”) concluded a Brexit trade deal: the EU-UK Trade and Cooperation Agreement (“Agreement”). The Agreement contains provisions about, among other things, the data transfer between the EU and the UK.
Transfer of data from the EU to the UK
As part of the Agreement, the UK and the EU have agreed that the General Data Protection Regulation (“GDPR”) will remain applicable in a transitional manner to the UK for a maximum additional period of 6 months (minimum 4 months, if either party objects to the additional period of 2 months). However, the transition period will only apply subject to the condition that the UK will not change its data protection rules and as long as the UK does not exercise “designated powers”. These designated powers relate primarily to doing anything new with regard to data transfers.
As a result, until 1 July 2021 any communication of personal data to the UK will continue to take place under the current data protection framework and will not be considered a transfer of data to a third country. No additional formality is therefore required for organisations in the EU or the UK until that date. In particular, it is not necessary to regulate the flow of personal data to the UK by means of appropriate guarantees provided for by the GDPR in relation to transfers to third countries.
At the end of the six-month period, at max, and in the absence of a decision from the European Commission generally authorising transfers of personal data to the UK, also known as the “adequacy decision”, any communication of personal data to the United Kingdom will be considered a transfer of data to a third country. Such transfers can only be made if appropriate safeguards as provided for by the GDPR are in place, such as standard contractual clauses, binding corporate rules, etc., and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available, in accordance with Article 46 GDPR.
Transfer of data from the UK to the EU
As for personal data sent from the UK to the EU, the conditions are defined by the UK legislation. The Agreement states that cross-border data flows between the EU and UK shall not be restricted and the British government announced that there are currently no changes to the way personal data is sent to the EU. Therefore, if you receive data from a UK controller or processor, at this moment no changes are required for these processing operations. This information should be checked regularly with the UK authorities.
Representatives of controllers or processors not established in the EU
On the other hand, the “one-stop-shop” regulatory oversight and cooperation mechanism is no longer applicable in the UK from 1 January 2021, and the UK Data Protection Authority (“ICO”) will therefore no longer participate. However, the ICO will still co-operate and collaborate with the European supervisory authorities. The one-stop-shop facilitates the procedures for companies established in the EU because it makes it possible to harmonize decisions concerning cross-border processing, relying on a lead authority, which is the sole interlocutor for data controllers and the only authority with which the various obligations provided for by the GDPR must be fulfilled.
In these circumstances, as of 1 January 2021, controllers and processors that are established solely in the UK and whose processing activities are subject to the application of the GDPR pursuant to Article 3(2) GDPR (controllers or processors not having an establishment in the EU) will be required to appoint a representative in the EU in accordance with Article 27 GDPR.