21 January 2021

lus Laboris

To print this article, all you need is to be registered or login on Mondaq.com.

The EU and UK reached a Trade and Co-operation Agreement('Brexit Agreement') on 24 December 2020 bringing clarityto many complex issues following the end of the Brexit transitionperiod, including transfers of personal data. Transfers of personaldata to the UK may continue as normal for up to six months afterthe Brexit transition period ended on 31 December 2020 until the EUCommission makes an adequacy decision concerning the UK.

Brexit means that the UK will no longer benefit from the freeflow of personal data between EU and EEA countries. Any transfer ofpersonal data from the EU to the UK will, therefore, have to complywith the hefty restrictions on international transfers under theGDPR, recently upgraded by theSchremsIIjudgement.

The Brexit Agreement, however, provides an extension for thebenefit of EU-UK data transfers, referred to asthe'bridge', meaning that the free flow of personaldata between the EU and UK may continue for another four months(until 1 May 2021) extendable for another two months (until 1 July2021) unless objected to by either the EU or UK. The bridge isconditional on the UK not amending its data protection laws duringthe period. The period will terminate if the EU Commission confirmsbefore the end of the period that the UK provides adequateprotection for personal data (a so-called'adequacydecision').

If the bridge ends without an adequacy decision, companies inthe EU would have to have appropriate safeguards in place or relyon derogations as required under the GDPR to justify transfers ofpersonal data to the UK. This would be a considerable and priceycompliance burden for the many organisations operating across thenewly adjusted EU border including, for example, EU-based corporategroups with UK entities.

The daunting complexities surrounding international transfersand Brexit have been postponed, but not solved. Stakeholders onboth sides of the Channel now face the task of preparing for twoopposite scenarios simultaneously. In the absence of an adequacydecision, EU companies would have to have all necessary measures inplace (such as standard contractual clauses or other safeguards) toensure that transfers of personal data to the UK comply with therequirements for international transfers under the GDPR.

At the same time, it is highly desirable and likely that UKadequacy will be confirmed, thus rendering any further safeguardsor measures unnecessary. Nevertheless, organisations have to bemindful of both potential outcomes. For example, the UK InformationCommissioner's Office has recommended putting alternativesafeguards in place before the end of April.

With this in mind, any EU company potentially transferringpersonal data to the UK (including providing access to personaldata) should carry out the following measures to prepare for anon-adequate scenario:

A confirmation of UK adequacy will be highly anticipated duringthe following months. Although the UK has now regained autonomyover its data protection law, the requirements of the GDPR havebeen converted into domestic UK law. This means that GDPR standardswill, for now, remain part and parcel of UK data protection law,favouring a finding of adequacy by the EU Commission. After all,the Brexit Agreement and the bridgeitestablishesaimprecisely at allowing sufficient time todecide on adequacy.

However, the EU Commission will have to carry out an intricateanalysis of the UK's broader relevant legislation, notably theUK's surveillance regime, which has been said to cast doubts onadequacy. The recentSchrems IIjudgement, inwhich theEuropean Court of Justiceinvalidated thepartial adequacy arrangement for the US (Privacy Shield),specifically boiled down to excessive surveillance powers of localauthorities. Interestingly, the compliance of the UK'ssurveillance regime with EU lawwaschallenged bytheEuropean Court of Justiceonly a few months ago, on 6October 2020 (case C-623/17,'PrivacyInternational'). Therefore, the risk of non-adequacycannot be ruled out and a confirmation of adequacy bears the riskof privacy campaigners subsequently challenging the adequacydecision, as demonstrated by theSchremscaselaw.

The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.

POPULAR ARTICLES ON: Privacy from Finland

Go here to read the rest:

The Brexit Agreement And Data Flows: A View From Finland - Privacy - Finland - Mondaq News Alerts