On Christmas Eve, the European Union and the UK finally concluded the long-awaited Trade and Cooperation Agreement (“Agreement”) relating to the UK’s separation from the EU as of 1 January 2021.
From the data protection perspective, the Agreement provides much-needed relief for companies across the EU, which have lately been struggling with international data transfers, not least in relation to the Brexit, which will render the UK a third country in the context of the GDPR.
Easier transition for data transfers to and from the UK
The deal provides an interim solution for transfers of personal data from the European Economic Area (EEA) to the UK. Pursuant to the Agreement, transfers of personal data to the UK will not be regarded as transfers to a third country under the GDPR until the earlier of the following:
- the European Commission has reached a decision on the adequacy of UK data protection legislation; or
- six (6) months have passed since the entry into force of the Agreement (comprised of a four-month fixed period plus a two-month extension if not objected to by either of the parties).
During the said period, the UK may not change its current data protection framework without the EU’s approval, or otherwise the aforementioned bridging period may terminate. This interim period ensures that companies transferring personal data to the UK are not required to take any immediate action due to Brexit but can await further developments in the matter.
Furthermore, in accordance with an earlier stance adopted by the UK, transfers of personal data from the UK to the EU (and from the UK to other jurisdictions recognised by the EU as having adequate data protection) will continue to be permitted on a transitional basis by the UK without requiring additional measures from 1 January 2021 onwards.
Does the UK offer an adequate level of data protection?
All eyes will now be on the European Commission and if and when it will be able to finalise its decision on the adequacy of UK’s data protection legislation. As the UK has transposed the GDPR into its own national legislation (this is called the UK GDPR) and has been part of the EU from the very beginning, one might think that concluding the adequacy findings would be a straightforward task. However, the CJEU’s Schrems II judgement in July forced the Commission to take an even closer look at the UK’s data protection framework and to assess whether the rules that are in place in the UK are actually essentially equivalent to those in the EU.
If the European Commission finds the UK non-adequate, it would have severe consequences. Firstly, it would mean an extra burden on companies as they then would need to put in place additional safeguards when transferring data to the UK. Secondly, in a wider context, not finding the UK adequate would set the bar for adequacy extremely high and could create substantial difficulties for the Commission to make new adequacy decisions (for example on South Korea or on certified US companies under any replacement for the Privacy Shield). It could also prove a barrier when re-assessing and continuing existing adequacy decisions.
However, the Agreement stipulates that the parties must be committed to upholding high levels of data protection standards and ensure continued cross-border data flows to facilitate trade in the digital economy without imposing limits on where data can be stored or processed. This puts political pressure on the Commission to find in favour of the UK during the bridging period.
As a leading Finnish law firm, we strongly benefit from our presence in London. Our representative office and strong networks enable us to engage in dialogue with many leading Brexit experts and to provide advice on Brexit-related questions with the Finnish context in mind. Borenius lawyers will continue to monitor the Brexit situation for any developments. You are more than welcome to contact our experts if you have any questions regarding data protection and international data transfers.