Post-Brexit – data transfers

Nigel Miller (partner)

As the UK and the EU have now reached a deal on Brexit, what’s the position on data transfers as from 1 January 2021?

Here’s a high-level summary:

Transfers from UK to EEA – these will be subject to UK GDPR. The UK government has confirmed that such transfers are not restricted and so can continue as before without the need for any transfer tool to be put in place.

Transfers from UK to third countries outside the EEA – the position remains similar to the current GDPR rules. Although the UK will in due course make its own adequacy decisions, for the time being existing EU adequacy decisions and the EU approved standard contractual clauses will continue to be recognised.

Transfers from EEA to UK from 1 January 2021 the UK is a “third country” so far as EU GDPR is concerned; therefore, transfers from EEA to UK will be restricted transfers. The UK was seeking an “adequacy decision” from the European Commission as part of the Brexit deal to permit such transfers to continue without the need for a transfer tool to be put in place. A joint declaration published alongside the deal makes clear that the EU will undertake this adequacy assessment. However, an adequacy decision was not part of the deal. Pending this, a temporary arrangement has been agreed to allow data to continue to be transferred from the EEA to the UK for the next four months (extendable to six months).

Given this temporary arrangement, thankfully it is not necessary for organisations involved in such transfers to rush to put in place standard contractual clauses or another transfer tool as from 1 January. However, this will need to be kept under careful review in Q1 and Q2 2021.

Transfers to the US which relied on Privacy Shield – as a result of the Schrems II decision in July 2020, which invalidated the Privacy Shield arrangement, another transfer tool needs to be put in place, such as standard contractual clauses. But see next point.

Using standard contractual clauses – as well as transfers which have become restricted transfers as a result of Brexit, all restricted transfers will need to be reviewed in 2021 with the implementation of the proposed new standard contractual clauses issued by the European Commission in November 2020 – see https://idatalaw.com/2020/11/20/new-standard-contractual-clauses/

In addition to the above, following Schrems II, in order to rely on standard contractual clauses organisations must carry out a “transfer impact assessment” to determine whether the clauses guarantee an equivalent level of protection for the transferred data as applies under GDPR; if implementation of SCCs alone would not guarantee an equivalent level of protection, then “supplementary measures” need to be put in place to ensure such a level of protection – see further https://idatalaw.com/2020/11/20/new-guidance-for-international-transfers-post-schrems-ii/

Putting aside international transfers for a moment, we wish you all the best for a healthy and successful 2021!