January 4th, 2021
Please keep an eye on this page - we will update it as further information becomes available
Brexit - Interim solution for personal data transfers from EU to UK
On 24 December 2020, the UK and the EU agreed the terms of a Brexit deal which includes an interim solution to the issue of personal data transfers from the EU to the UK. This means that there is no need (yet) to put alternative transfer mechanisms (such as SCCs) in place.
The interim solution allows organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to hopefully approve an adequacy decision for the UK. During the extension period, transfers of personal data from the EU (and the EEA) to the UK will not be considered transfers to a ‘third country’ (provided that the UK’s data protection law remains the same as it is as of 31 December 2020). However:
- The initial four-month extension period will end when adequacy is granted, or may be extended by two further months unless the UK or EU objects;
- If the UK amends its data protection legislation, or exercises certain designated powers without EU agreement during the extension period, the extension period will end.
The Agreement took effect provisionally in EU law on 1 January 2021, pending ratification by the EU Parliament in early 2021. The UK Parliament has ratified the Agreement.
The ICO has issued a statement on the Agreement. The statement reminds us that adequacy is not guaranteed and therefore:
“As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.”
Data Transfers From UK To EU
The Agreement does not address transfers of personal data from the UK to the EEA. These transfers can however continue without safeguards because the UK has already designated EEA member countries as providing an adequate level of protection (of personal data for the purposes of the UK GDPR). In addition, the UK has adopted the same adequacy decisions as the EU and so transfers can be made from the UK to these ‘adequate’ countries e.g. Japan, without additional safeguards.
Other Brexit Issues
It is important to remember that
organisations still need to address other Brexit issues, including privacy
notice updates and the appointment of an EU representative where necessary.
Please see the detail below for more information on these issues.
The BHBIA's guidance for members:
- See our 'Data Protection Update – Brexit Implications' and 'Brexit Implications - Nominating a Representative' guides, under 'Guidance Notes' in the Privacy and Data Protection section of the website. These have both now been updated with the latest (January 2021) information.
- You can also tune into the recording of our 'Brexit and Data Protection Implications' webinar, held on 13 November, to hear the guidance clearly explained by members of the Ethics & Compliance Committee.
If you’re keen to keep up with the latest advice on preparing for the data protection implications of Brexit, you will be interested in the following:
- In December 2020, the MRS provided an update: ‘Brexit and Research: what’s next? Data protection at the end of the transition period’. It sets out the issues that practitioners need to consider in data protection at the end of the transition period.
- This article on Lexology; you can access the article and checklist here: Ready, Steady, Brexit: Your Data Protection checklist for 1 January 2021.
- EFAMRO's short report: Brexit, Data Protection and Research, What happens on January 1, 2021? provides clear and helpful guidance upon the European data protection Board’s December 2020 recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (currently under consultation).