Brexit: The Future of Data Flow to and from the EEA and the UK
The UK is nearing the end of its Brexit transition period (the Transition Period), which expires Dec. 31, 2020. Although the UK has not been a party to the European Economic Area (EEA) agreement since the passage of Brexit, it has been treated as an EEA member during the Transition Period. Because of this status, data has continued to flow freely between the EU and UK during this time. However, the UK’s treatment as a member of the EEA is set to end upon the expiration of the Transition Period. At that point the UK will be considered a “third country” under the GDPR for the purpose of cross-border data transfers. Companies in the EEA may only freely transfer data to a third country if the European Commission has granted an adequacy decision for the country. Otherwise, the company must take steps to ensure that the importing country (i.e., the UK) provides protections equivalent to those in the EEA.
As of mid-December 2020, the European Commission has not granted an adequacy decision to the UK. It is possible that no adequacy decision will be delivered in time to allow a smooth transition for data flow at the end of the Transition Period. UK and EU officials are currently discussing a temporary extension (no longer than six months), but this interim solution is tied to wider trade negotiations, the efficacy of which has remained uncertain. Further, any extension to the data flow that is granted may be immediately challenged by privacy advocates in EU courts.
Will data transfers from the UK to the EEA be affected?
No (for now). Under the UK’s domestic version of the GDPR, which comes into effect Jan. 1, 2021, at the same time the EU GDPR ceases its applicability in the UK, data may continue to flow freely from the UK to the EEA after the end of the Transition Period. The UK’s Information Commissioner’s Office (ICO) has issued official guidance that indicates that transfers out of the UK to the EEA will remain unaffected for the time being, regardless of what happens at the end of the Transition Period. However, the UK has stated that it intends to keep this arrangement “under review.”
Will countries that have been deemed adequate by the EU continue to allow uninterrupted data transfers to the UK?
Mostly yes. The EU has delivered adequacy decisions for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Japan, Jersey, New Zealand, Switzerland and Uruguay. The UK government has entered into special arrangements with all the countries/territories listed above (except Andorra) to allow for the continued uninterrupted flow of data into the UK. That means that data collected in one of these countries is likely to continue to flow to the UK uninterrupted. It is important to note, however, that if data from the EEA is collected in one of these countries, a company may not feel comfortable transferring that data to the UK (an “onward transfer”) without additional steps to ensure that the adequate protections are in place to make the UK adequate. Put differently, data that originates in one of these countries will flow uninterrupted to the UK. Data that originated in the EEA, and passes through one of these countries, may need additional steps before it can go to the UK.
Will the UK continue to honor the European Commission’s existing adequacy decisions?
Yes. The ICO’s guidance for large business provides that the UK government intends to recognise EU Commission adequacy decisions made before the end of the transition period. This will allow restricted transfers to continue to be made from the UK to most organizations, countries, territories, or sectors covered by an EU adequacy decision.
Impact on companies
If your company regularly transfers data from the EEA to the UK, you should be prepared to quickly adapt if no adequacy decision or temporary extension of the UK’s current status is delivered by Dec. 31, 2020. This means making sure that your company is prepared to implement an approved transfer mechanism (such as the SCCs in combination with appropriate supplemental measures, which are also in flux at the moment) as soon as possible to cover data transfers to vendors, business partners and UK-based affiliates. It is critical to be mindful of any specific guidance issued in the coming weeks by EEA supervisory authorities on the use of particular transfer mechanisms for transfers to the UK. For example, Ireland’s Data Protection Commission (DPC) recently stated that companies will need to self-evaluate whether the use of the SCCs will offer equivalent protection to data transferred to the UK as that offered in the EEA, and may need to report certain UK transfers under the SCCs to the DPC.
Further, you may also be required to update your company’s privacy notices to reflect how the company is handling data transfers to and from the UK, as the existing policy may inaccurately state or omit required information concerning data transfer mechanisms.
Finally, regardless of whether a decision is delivered in time or an extension is granted, if your company is UK-based (or established anywhere outside of the EEA), you will also need to evaluate whether you are obligated to appoint an EU representative to act as a contract point within the EU.
The enforcement risks for noncompliance during the period immediately following expiration of the Transition Period are anticipated to be low but will become pressing as time goes on if the UK does not quickly receive an affirmative adequacy decision, or if the European Commission determines the UK is not adequate. Notably, the decisions of the Court of Justice of the European Union this year (Schrems II being just one example) indicate that the UK may not be deemed adequate. If that is the case, even if UK and EU officials reach a deal for a temporary extension of the UK’s current status, the deal may not provide more than a few months’ respite before changes will need to be implemented.