In December 2018, we considered what a transfer of personal data between the EU and UK meant from a GDPR compliance perspective post-Brexit i.e. when the UK became a ‘third country’ for data protection purposes. In this article we take a look at how matters have progressed since.
Almost three years on from the enactment of the GDPR, most businesses will be familiar by now with its extensive compliance requirements.
One such requirement is contained in Chapter 5 of the GDPR, which makes any transfer of personal data outside the EEA i.e. to a ‘third country’, unlawful unless the transfer is in line with one of the mechanisms provided for thereunder, the most straightforward of which is a transfer based on an adequacy decision.
Existing adequacy decisions
An adequacy decision refers to a decision of the European Commission deeming a particular third country as having adequate privacy protection laws in place.
At present adequacy decisions have been granted in favour of Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Where an adequacy decision does not exist for a particular third country for example, the USA, data flows from the EEA to the said country must be pursuant to particular safeguards provided for in the GDPR, such as standard contractual clauses or binding corporate rules (where transfers arise between related entities).
Current Stance – Data bridge
Since Brexit took effect on 31st January 2020, there was an eleven-month transition period during which EEA-UK personal data transfers remained lawful. Pursuant to the EU-UK Trade and Co-operation Agreement, agreed on 24th December 2020, the transition period for data protection purposes was extended and a six-month data bridge was put in place to allow time for a UK adequacy decision to be considered by the European Commission.
This means that EU-EEA data flows can continue during this period without the need for further protections pursuant to Chapter 5 GDPR.
UK - Adequate or Inadequate?
Since the Brexit referendum vote in 2016, one of the biggest considerations for data protection practitioners was whether an adequacy decision would be granted in favour of the EU post-Brexit.
Although at the date of writing, there is still no definitive answer to this question, the UK came one-step closer to an adequacy decision on 19th February 2021, when the European Commission published a draft decision finding that UK law provides an adequate level of protection for personal data.
Before this decision is adopted however, it must be reviewed by the European Data Protection Board and ultimately, by individual Member States, both of whom must be satisfied for its implementation. The European Parliament and EU Council can also seek to scrutinise the decision and request that it be maintained, amended or withdrawn, as necessary.
The terminus of the data bridge and the deadline for adoption of the adequacy decision is 30th June 2021, after which date other compliance mechanisms under Chapter 5 GDPR will be required to legitimise any EEA-UK data transfers.
Although pushback remains possible, there is inevitable favour on both sides of the Irish Sea for the adoption of the decision, so as to retain some form of normality in day to day commercial dealings with our UK counterparts.
Watch this space!
- Construction and Engineering
- Energy and Natural Resources
- Financial Services
- Food, Beverage and Agribusiness
- Healthcare, Pharma and Life Science
- Hospitality and Leisure
- Investing in Ireland
- Not-For-Profit and Charities
- Public Sector
- Real Estate
- Retail and Manufacturing
- Technology, Media and Telecom