Until the end of April (possibly even until the end of June 2021), data transfers from the EU to the UK will not (yet) considered “third country transfers” and therefore do not require a separate justification under data protection law. However, companies may still need to appoint EU or UK representatives at short notice.
Background and Latest Developments
On 31 December 2020, the so-called Brexit transition period ended after the United Kingdom had already left the EU on 31 January 2020. Due to the ongoing negotiations, it was therefore still unclear until the end of December 2020 which data protection regulations would apply to data protection or data transfers from and to the United Kingdom. It was to be feared that the United Kingdom would be considered a “third country” within the meaning of Art. 44 et seq. Data Protection Regulation (GDPR). This would have made the transfer of personal data much more difficult and would have caused some legal uncertainty.
On 30 December 2020, the EU and the United Kingdom concluded a so-called “EU-UK Trade and Cooperation Agreement”. The more than 1,200-page text of the treaty is available here.
Privileging of data transfers for up to six months as of January 2021
The above-mentioned agreement also contains the following privilege for EU-UK data transfers (Article “FINPROV.10A”, page 427):
[…] transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law […]
This means that data transfers to the United Kingdom enjoy a privileged status for the time being: although the country has left the EU and should therefore – ordinarily – be considered a “third country” under data protection law, this legal consequence is prevented for the time being by a kind of “negative fiction”.
From the point of view of a data controller in the EU who transfers data to the UK, nothing changes – for the time being. In particular, the controller does not have to wait for an adequacy decision by the EU Commission or otherwise seek one of the safeguards of Art. 45 et seq. GDPR (e.g. Standard Contractual Clauses) to legitimise the data transfers from the EU to the UK.
The privilege is limited to four months (i.e. until the end of April 2021), with an automatic extension for a further two months (i.e. until the end of June 2021) – unless either the EU or the UK objects to the extension beforehand.
In addition, the privileged status is subject to a number of conditions: For example, the UK may not significantly change its data protection regulations (except to adapt them to developments in the GDPR). Otherwise, the privilege immediately loses its effectiveness.
Companies must still appoint EU or UK representatives
Even if EU-UK data transfers remain privileged, Brexit will result in a new obligation for companies to appoint data protection representatives in the respective region, if necessary.
We have already reported on this in detail on the PLANIT//LEGAL blog:
Conclusion
With this transitional arrangement, the EU and the UK have bought themselves some respite for shaping the future of data transfers between the EU and the UK.
The data protection uncertainties of Brexit have therefore only been addressed for the time being with this transitional solution. The focus must now be on the EU Commission’s adequacy decision and the further development of data protection law in the United Kingdom.