There was a concern that with the possibility of no deal and the UK being a "third country" after the transition period, data transfers between the UK and European Union/European Economic Area (EU/EEA) would be restricted and require an appropriate transfer mechanism, which many organisations would not have put in place by 31 December 2020. Following a deal being reached, we take a look at what Brexit means for data protection.
UK businesses will be breathing a sigh of relief at the ICO confirming what is in the Brexit deal with regard to EU to UK data flows being able to continue for up to six months from 1 January. The extension in the deal (summarised below) provides additional time to finalise future arrangements. It is important to recognise that the extension is only guaranteed for 4 months and only for as long as the UK doesn’t make changes to its current data protection regime. The window will automatically extend to six months unless the UK or the EU object. It does not automatically apply to the EEA states (Iceland, Liechtenstein and Norway) and they have to decide if they will accept the extension.
Employers should read our earlier article about how data transfers for employers can affect even those solely in the UK but which use EU based processors for Recruitment/HR/payroll/benefits/IT platforms or cloud services etc. More generally businesses need to check if they are sending to and/or receiving personal data from entities in the EU/EEA and take the opportunity to review their data flows and arrangements and decide what action they wish to take. “Appropriate transfer mechanisms” could be Standard Contractual Clauses but they can be time consuming and aren’t suitable for every circumstance. Ideally, the deal would have been accompanied with the alternative mechanism of an adequacy decision by the EU in relation to the UK’s data protection regime but there were (and perhaps still are) significant hurdles around this due to recent EU data protection rulings. The extension allows more time for an adequacy decision to be made by the EU, but there is no guarantee that will happen.
For the time being at least the position remains that reached in the Brexit deal – helpfully summarised in the UK-EU Trade and Cooperation Agreement Summary as follows:
This Part also includes a provision to provide for the continued free flow of personal data from the EU and EEA EFTA States to the UK until adequacy decisions are adopted, and for no longer than six months. The UK has, on a transitional basis, deemed the EU and EEA EFTA States to be adequate to allow for data flows from the UK.
The ICO has produced a statement in response, which you can read here. It advises that whilst this is good news for the time being, it recommends alternative transfer mechanisms being put in place in during this period, presumably in case no adequacy decision is reached in the allotted time period.
UK businesses should note that whether or not there is an adequacy decision then if they trade with the EU/EEA they still need to determine whether they need to appoint a GDPR representative in the EU/EEA if they are processing personal data of individuals who are in the EU/EEA – the Brexit deal does not alter this requirement – see our previous article on this subject for more detail.
Enjoy That? You Might Like These:
Stuck in the middle – is where businesses find themselves following the NI & dividend tax increases?