On December 24, 2020, the European Commission and the United Kingdom reached an agreement in principle on the long-awaited Trade and Cooperation Agreement (the “Trade Agreement”). For now, transfers of personal data from the United Kingdom to the European Union — and from the United Kingdom to other jurisdictions recognized by the European Union as having adequate data protection — will continue to be permitted without additional measures. However, this reprieve will only last six months and the UK Information Commissioner’s Office has recommended that companies start exploring alternate means for transfers.
On “Brexit Day,” January 31, 2020, the UK exited the European Union and entered an eleven-month transition period. Without the Trade Agreement, the UK would have been considered a third country for purposes of the EU General Data Protection Regulation (“GDPR”), that is, a state that falls outside of the European Economic Area (“EEA”), beginning on January 1, 2021. The Trade Agreement provides that transfers to the UK will not be considered transfers of personal information to a third country during the transition period and will therefore not be prohibited under the GDPR for the stated transition period.
Among other objectives, the Trade Agreement achieved a transition period for data transfers for business and law enforcement purposes. The UK has already deemed the EU and EEA to offer adequate protections for the flow of data from the EU, but this “bridging mechanism” is designed to allow time for the European Commission to complete its adequacy assessment of the UK under the GDPR and Law Enforcement Directive. The transition period will continue until either (1) a UK adequacy decision is adopted by the European Commission or (2) four months have elapsed, with the option to extend for an additional two months if neither the EU nor the UK object.
The transition period can be cut short if the UK makes unapproved changes to its data protection framework. Similarly, the Trade Agreement prevents both the EU and the UK from enacting measures that restrict cross-border data transfers or otherwise act to require data localization.
Though the Trade Agreement paves the way for a UK adequacy decision, the process is far from complete. An adequacy decision for the UK requires first a proposal from the European Commission, followed by an opinion from the European Data Protection Board and approval by member state representatives. Finally, the commissioners must issue an adopting decision. Additionally, though the Trade Agreement took provisional effect on January 1, 2021, it must be adopted by the European Council and consented to by the European Parliament before it can be ratified and fully implemented. The Trade Agreement will also need to be approved by the UK Parliament.
With respect to data flow from the UK to the EU or EEA, the UK has already deemed those jurisdictions to be “adequate,” so no additional measures need to be undertaken. However, if an adequacy decision is not made by the EU, the UK will be a “third country” for purposes of data flows from the EU and EEA to the UK. Under the GDPR, there are three scenarios in which an entity can legally transfer personal data to a “third country”: (1) the receiver is located within an area covered by an adequacy decision; (2) appropriate safeguards have been established to protect individuals’ rights to their personal data; or (3) an exception, such as explicit consent, covers the transfer. Companies may choose to maintain “business as usual” during this six-month period, but the UK Information Commissioner’s Office has recommended that businesses work with EEA organizations that transfer personal data to them and take steps to put in place alternative transfer mechanisms as a precautionary measure. In addition, to maintain compliance with Article 27 of the GDPR, companies should consider whether they need to appoint a new representative in an EU location if their representative was located in the UK and they plan to conduct data processing activities in the EEA.