Transferring Personal Data to the UK Post-Brexit
- Details
- Created: Monday, March 22 2021 18:27
It is important for businesses of all sizes to be aware of the implications of Brexit on data transfers/ processing to third parties in the UK.
Data transfers arise for many businesses in the course of everyday business activities. For example, if you use an outsourced IT or payroll services provider that is based in the UK, that is likely to result in the transfer of your client/ customer data to the UK. That is an act of data “processing” that is governed by the General Data Protection Regulation (“GDPR”).
When the Brexit transition period ended on 31st December 2020, the UK became a "third country" from the perspective of GDPR. This means that transfers of personal data from Ireland to the UK are treated in the same way as transfers of personal data to other countries outside the EU. Detailed provisions for the transfer of data to “third countries”, designed to ensure the safety of personal data to non-EU jurisdictions, then apply to the UK.
A transfer of personal data to the UK (as a “third country”) may take place if the EC Commission issues what is known as an “adequacy decision” in respect of the UK. Article 45.1 of GDPR states that an adequacy decision would allow a transfer without any specific authorisation. This means that the EC Commission has decided that the UK ensures an adequate level of data protection, thereby allowing personal data to be sent from an EU state to the UK. The data transfer to the UK will be the same as a data transfer to another EU jurisdiction and no additional safeguards will be necessary.
Thankfully, despite the Brexit transition period expiring on 31st December 2020, transfers of data from the EU to the UK can still freely occur for a four-month period, which may be extended to six months. This is known as a “bridge period”. Following expiry of that bridge period, then the UK is officially a “third country” from the perspective of GDPR, meaning that data can only flow from the EU to the UK if certain safeguards are in place.
Further good news was received on 19th February, when the EC Commission launched the process towards adopting an adequacy decision in respect of the UK. A draft adequacy decision was issued on that date, meaning that the ratification of an adequacy decision is overwhelmingly likely in the next number of months. The EC Commission has stated in the issue of its draft decision that it is satisfied that the UK “ensures an essentially equivalent level of protection”, meaning that no reason exists not to formally ratify an adequacy decision.
Once this adequacy decision is formally ratified, then transfers between the EU and the UK may take place to the UK in the same manner as they may take place with the EU.
What does this mean for businesses in practice?
As matters stand, businesses may transfer data to the UK as if the transfer is being made within the EU, as we are currently in the bridge period. However, businesses should be conscious that this is currently only permissible due to the bridge period. Businesses should keep abreast of the progress of the UK adequacy decision.
If that adequacy decision is made by the expiry of the bridge period, then data transfers can continue as if the UK is in the EU. However, if an adequacy decision is not made by the EC Commission, then businesses need to find alternative methods of safeguarding the personal data being transferred to the UK. That is a difficult task, as the legitimacy of third country data transfers has been under heavy scrutiny arising from a number of high-profile European Court of Justice cases involving the Austrian data privacy campaigner Max Schrems.
Also, it is very important for businesses to be aware that, even if an adequacy decision is in place with the UK, all other requirements of GDPR must be satisfied on any data transfer to the UK. These include completing due diligence on the third-party processor, ensuring the security of any data transferred, and entering a formal data processing agreement. These requirements apply to all third-party data processing.