December 2020 Update: This post was originally titled “Brexit, Trade Deals and GDPR: What happens next?’ and published in September 2020. It was updated on 26th December 2020.
So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.
Internation Transfers
On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.
The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.
The UK GDPR
Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.
These and other GDPR developments will be discussed in detail in our online GDPR update workshop.
Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our GDPR Essentials e learning course can help you do this in less than 45 minutes.
thanks Ibrahim – I still can’t get a clear view on what we do as a third country data controller receiving our data back from an EU Processor – other than putting suitable measures in place. There is not a specific EU Processor to third country Controller Model Clause – its whether the European Regulators consider their Processors need to have something in place for the transfer or whether we are simply receiving our data back from the EU, which the UK considers adequate. That is, do we re-paper with existing Model Clauses which don’t cover that transfer, do we consider the UK is satisfied, there is no issue, or do we consider a European Regulator might want to see what the Data Processor has done to legitimise that particular transfer…
Hi Michelle. From 1st Jan the UK will not be an adequate country as far as the EU is concerned unless there miraculously appears an EU adequacy finding. So for your EU processors sending data back to you in the UK they have to consider the EU GDPR restrictions on transfers. You are right there are no SCCs to cover this. So they are left with applying an Art 49 derogation. Consent, contract or compelling legitimate interests come to mind. Remember though that if you are based in the UK, there is no issue for you when receiving the data from your EU processor. Hope this helps.