EU-UK Personal Data Flows can Continue Post-Brexit (for now)

UK Adequacy Decision

The UK is eagerly waiting to see whether the EU Commission (EC) will make an adequacy decision in favour of the UK. Without this, alternative safeguards will have to be implemented where personal data is transferred from the European Economic Area (EEA) to the UK, following Brexit.

The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to other jurisdictions unless specific conditions are met. One of these conditions is that an adequacy decision has been granted by the EC, meaning that that country has “adequate” local data protection laws in place that are commensurate with the GDPR. The 12 countries subject to such a favourable adequacy decision include Switzerland, New Zealand and the Isle of Man.

On 31 December 2020, no adequacy decision had been made in the UK’s favour. However, a bridging deal has now been agreed which allows for the continued flow of personal data from the EEA to the UK for a maximum of six months following the end of the Brexit transition period. This is subject to the UK not amending its existing data protection legislation during this time. The hope is of course that an adequacy decision will be made within these 6 months allowing this free flow to continue into the future without requiring changes to current data protection practices.

Notwithstanding the above however, the data privacy supervisory body in the UK, the Information Commissioner’s Office (ICO), has recommended that where UK businesses transfer data to the EEA they use this 6 month period to work with EU organisations to start to implement alternative transfer mechanisms such as EC-approved standard contractual clauses or binding corporate rules. The hope is that this will allow business continuity and allow lawful transfers in the event no adequacy decision is granted in the UK’s favour. At the very least, developments should be closely monitored.

Applicable UK Data Protection Laws

The EU GDPR has now been incorporated into UK data protection law as the UK GDPR. In practice this means that the main principles, obligations and rights that we have become used to under the EU GDPR will remain the same.

We would recommend that companies work to update their privacy notices, data processing clauses and internal policies to reflect the change from the EU GDPR to the UK GDPR. Additionally, any data breaches may now need to be notified to both the ICO in the UK as well as the supervisory body in the relevant EU country if applicable too.

The Privacy and Electronic Communications Regulations covering marketing, cookies and electronic communications, as well as the UK Data Protection Act 2018 will continue to apply. The ICO will remain the independent supervisory body regarding data protection laws in the UK.

The UK has deemed the same 12 countries as the EC as “adequate” as well as all 30 remaining EEA/EU countries. This means the free flow of personal data to these countries from the UK can also continue.

Please bear in mind that the EU GDPR will continue to apply where you operate in Europe, offer goods or services to individuals in Europe, or monitor the behaviour of individuals in Europe.

If you would like any further advice on the matters mentioned above or have any other data protection queries, please get in touch.

Madeleine Rhodes