February 20th, 2021
Please keep an eye on this page - we will update it as further information becomes available
Brexit - European Commission’s Draft Data Adequacy Decisions (NEW February 2021)
The European Commission (EC) has issued draft adequacy decisions which set out that the UK should be found ‘adequate’.
This means, assuming it’s formally approved, that:
- The unrestricted flow of data between the European Economic Area and the UK can continue.
- Alternative data transfer mechanisms (such as standard contractual clauses) will not be needed to safeguard personal data transferred from the EEA to UK.
The draft decisions published on Friday 19 February will now be shared with the European Data Protection Board for a ‘non-binding opinion’, before being presented to EU member states for formal approval.
The interim ‘bridging’ solution (agreed as part of the EU-UK Trade and Cooperation Agreement) will remain in place until June 30 or until the adequacy decisions come into effect, whichever is sooner.
The adequacy finding will be re-examined every four years to make sure that the UK rules continues to offer an adequate level of protection and it will be open to legal challenges at the European Court of Justice.
For further information go to: https://www.gov.uk/government/news/uk-government-welcomes-the-european-commissions-draft-data-adequacy-decisions
We’ll provide further news on the approval as soon as we can.
Brexit - Interim solution for personal data transfers from EU to UK (January 2021)
On 24 December 2020, the UK and the EU agreed the terms of a Brexit deal which includes an interim solution to the issue of personal data transfers from the EU to the UK. This means that there is no need (yet) to put alternative transfer mechanisms (such as SCCs) in place.
The interim solution allows organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to hopefully approve an adequacy decision for the UK. During the extension period, transfers of personal data from the EU (and the EEA) to the UK will not be considered transfers to a ‘third country’ (provided that the UK’s data protection law remains the same as it is as of 31 December 2020). However:
- The initial four-month extension period will end when adequacy is granted, or may be extended by two further months unless the UK or EU objects;
- If the UK amends its data protection legislation, or exercises certain designated powers without EU agreement during the extension period, the extension period will end.
The Agreement took effect provisionally in EU law on 1 January 2021, pending ratification by the EU Parliament in early 2021. The UK Parliament has ratified the Agreement.
The ICO has issued a statement on the Agreement. The statement reminds us that adequacy is not guaranteed and therefore:
“As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.”
Data Transfers From UK To EU
The Agreement does not address transfers of personal data from the UK to the EEA. These transfers can however continue without safeguards because the UK has already designated EEA member countries as providing an adequate level of protection (of personal data for the purposes of the UK GDPR). In addition, the UK has adopted the same adequacy decisions as the EU and so transfers can be made from the UK to these ‘adequate’ countries e.g. Japan, without additional safeguards.
Other Brexit Issues
It is important to remember that
organisations still need to address other Brexit issues, including privacy
notice updates and the appointment of an EU representative where necessary.
Please see the detail below for more information on these issues.
The BHBIA's guidance for members
- See our 'Data Protection Update – Brexit Implications' and 'Brexit Implications - Nominating a Representative' guides, under 'Guidance Notes' in the Privacy and Data Protection section of the website. These have both now been updated with the latest (January 2021) information.
- You can also tune into the recording of our 'Brexit and Data Protection Implications' webinar, held on 13 November, to hear the guidance clearly explained by members of the Ethics & Compliance Committee.
If you’re keen to keep up with the latest advice on preparing for the data protection implications of Brexit, you will be interested in the following:
- In December 2020, the MRS provided an update: ‘Brexit and Research: what’s next? Data protection at the end of the transition period’. It sets out the issues that practitioners need to consider in data protection at the end of the transition period.
- This article on Lexology; you can access the article and checklist here: Ready, Steady, Brexit: Your Data Protection checklist for 1 January 2021.
- EFAMRO's short report: Brexit, Data Protection and Research, What happens on January 1, 2021? provides clear and helpful guidance upon the European data protection Board’s December 2020 recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (currently under consultation).