Despite the UK's departure from the EU on 31 December 2020, the EU-UK Trade and Cooperation Agreement (Trade Agreement), effective from 1 January 2021, provides that personal data can continue to flow freely from the European Economic Area (EEA) to the UK for a limited "specified period".
During this period, such data flows will not to be treated as made to a so-called 'third country', i.e. a country outside the EEA, for the purposes of the EU General Data Protection Regulation (GDPR). This arrangement, made to accommodate an assessment of UK data protection standards, is conditional on the UK not amending its current data protection legislation (known as the UK GDPR) or exercising certain "designated powers".
Transfers from EU/EEA to UK:
- The "specified period" is intended to provide time to the European Commission to assess UK data protection standards and, if satisfied with the information received, move to adopt an adequacy decision in respect of the UK, involving the European Data Protection Board and the European Parliament in the decision-making procedure. It began on 1 January 2021, and ends either; (1) on the date on which an adequacy decision in relation to the UK is adopted by the European Commission; or (2) four months after the specified period begins. The four-month period can be extended by a further two months, unless either the EU or the UK objects.
- If the UK amends its data protection regime or exercises the designated powers without the agreement of the EU, the specified period comes to an end. The UK government is optimistic that an adequacy determination will be adopted during the bridging period although concerns have been expressed that it may be challenged by the European Parliament or by privacy campaigners.
Transfers from the UK to the EU/EEA:
- The UK Government will recognise the EU as continuing to offer adequate protection so additional transfer mechanisms are not required for UK to EU personal data flows.
One Stop Shop:
- The "one stop shop" mechanism under the GDPR allows organisations established in the EU and engaging in cross border processing to deal with a single lead supervisory authority, being the data protection authority of the organisation's "main establishment".
- In addition to being in scope for the purposes of the new UK GDPR, a UK company may also be subject to the GDPR if it is caught by the territorial scoping provisions under Article 3.
- If a UK organisation has no EU main establishment, but offers goods or services to individuals in the EU, the UK business will not be able to benefit from the "one stop shop" and will be subject to investigation or enforcement activity by any supervisory authority in the EU (as well as by the Information Commissioner's Office (ICO), as the UK regulator). This would also arise if the organisation has multiple establishments (in the UK and EU) but none of the EU establishments meet the "main establishment" test set out in Article 4(16) GDPR.
- If a UK organisation has a European main establishment, it will be regulated by the ICO and the supervisory authority in that EU country in relation to any cross-border processing. Both of the supervisory authorities would have the power to apply sanctions and issue fines under the applicable legislation, but there would be no requirement for the authorities to co-operate over such enforcement action.
The "specified period" which allows for the free transfer of personal data from the EU to the UK will last for a maximum of 6 months. If there is no adequacy decision in place at that point, UK organisations that receive data from the EU will have to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data. Such mechanisms include standard contractual clauses and binding corporate rules. (We discuss recent guidance on transfer mechanisms from the European Data Protection Board in our briefing here.)
In addition, as the one stop shop will no longer apply in many instances, UK organisations may be exposed to greater GDPR risk as they may be subject to investigation or enforcement activity by several supervisory authorities. Organisations should therefore carefully determine if they have a main establishment in the EU for the purposes of the GDPR that would entitle them to the one stop shop cooperation procedure. Similarly, organisations not established in the UK, but who processes personal data of UK persons may need to appoint a UK representative under the UK GDPR.
The authors wish to thank Grainne Bennett for her contribution to this article.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.