What about the transfer of personal data between the United Kingdom and the European Member States after Brexit? In the following blog post, we will provide an overview of the current developments in data protection law in the context of the UK withdrawal from the European Union.
From Brexit to 31 December 2020
The United Kingdom left the EU on 31 January 2020. Due to the withdrawal from the EU, a series of transitional arrangements initially came into force by means of a withdrawal agreement, particularly arrangements regarding the cross-border data exchange between the EU and the United Kingdom. Based on these arrangements, the United Kingdom was not considered a third country, but still an EU Member State from Brexit until 31 December 2020. As a consequence, the GDPR also applied to data processing between the EU and the United Kingdom in the year 2020. Therefore, there were no further conditions attached to the transfer of personal data from the EU to the United Kingdom and vice versa during this transition period.
From 31 December 2020 to 30 June 2021
Following months of negotiations on the terms and conditions of their future cooperation, the EU and the United Kingdom reached the so called Trade and Cooperation Agreement on 24 December 2020, literally in the last second before the expiry of the transition period on 31 December 2020 provided for in the withdrawal agreement. The agreement stipulated further transitional agreements for data exchange between the EU and the United Kingdom. The key message of the agreement’s data protection provisions is that the United Kingdom shall not be considered a third country within the meaning of GDPR for the transition period. During the transition period from 1 January 2021 up to 31 April 2021 (so-called “the bridge”), Art. 44 f. GDPR regarding data transfer to third countries is not yet applicable. Provided that neither the EU nor the United Kingdom object, the transition period shall be automatically extended by two months until 30 June 2021.
The transition period of the Trade and Company Agreement ends when the EU Commission adopts a so-called adequacy decision for the United Kingdom – similar to the one for Switzerland, Argentina and Japan. Until then, data exchange between the EU and the United Kingdom will continue with recourse to the Trade and Cooperation Agreement.
On 1 January 2021, the United Kingdom also officially left the EU Single Market and the Customs Union. As a consequence, GDPR no longer applies in the United Kingdom. Data processed since that day must now comply with the provisions of the national Data Protection Act 2018 and a new act adapted to the GDPR, the “UK GDPR”.
As of 19 February 2021
On 19 February 2021, the EU Commission initiated proceedings for the adoption of an adequacy decision. The objective: After expiry of the six-month transition period of the Trade and Cooperation Agreement, an adequate level of data protection for the transfer of personal data from the EU to the United Kingdom shall be ensured as of 1 July 2021.
Draft of the adequacy decision
In principle, Art. 45.3 GDPR provides that the EU Commission, after having assessed the adequacy of the level of data protection in a third country, may decide by means of an implementing decision (so called “adequacy decision”) that the third country provides an adequate level of data protection – i.e. a level of protection for personal data – which essentially equals the level of protection within the EU. There are officially no reservations against data transfer from the EU to the United Kingdom. Therefore, if a non-EU country has subsequently been classified as “adequate” by the EU Commission, the transfer of personal data to this non-EU country does not require a separate permission (Art. 45.1 sentence 2 GDPR).
In its press release, the Eu Commission states that, in the last months, it has been carefully examining the UK law and the UK practice on the protection of personal data with regard to its level of data protection. The EU Commission already concludes that the United Kingdom ensures an essentially equivalent level of data protection to that ensured in the EU by the GDPR. Currently, the level of data protection in the United Kingdom does not differ significantly from that in the EU. With few modifications, the GDPR has become part of the UK data protection law under the national Data Protection Act 2018. Provided the United Kingdom does not drastically change its data protection law in the coming months, the adequacy decision of the EU Commission should be adopted shortly.
Perspective
After seeking the opinion of the European Data Protection Committee, the EU Commission will ask the Member States to give the green light for the adequacy decision in order to be able to take its own final decision regarding the “adequate level of data protection” for data exchange from the EU to the United Kingdom. As soon as the EU Commission adopts an adequacy decision, the United Kingdom is to be considered a safe third country, meaning that data exchange from the EU to the United Kingdom is possible without any additional guarantees.Last but not least, the adequacy decision of the EU Commission only concerns data transfer from the EU to the United Kingdom. Data transfer in the other direction – from the United Kingdom to the EU – is already regulated by the British legislation since 1 January 2021. The United Kingdom has already decided that the EU provides an adequate level of data protection and that personal data can be transferred freely from the United Kingdom to the EU.