Personal data flows from the EU: an update
7th January, 2021
As part of the UK's Trade and Cooperation Agreement with the EU, the UK and EU have agreed that personal data flows from the EU to the UK can continue, for a specified period (likely to be 6 months), as they had prior to the end of the transition period.
As the end of the transition period loomed, concerns were raised on how personal data flows could continue into and out of the EU from the UK once the UK’s transition period came to an end. The EU’s data protection regime contains formal requirements for transfers of personal data to countries outside the EEA together with stiff fines and enforcement mechanisms for those who don’t comply.
The Trade and Cooperation Agreement provides that for the duration of the “specified period”, transmission of personal data from the EU to the UK will not be considered a transfer to a third country under EU law. However there are caveats to this: first, the data protection law of the UK on 31 December 2020 continues to apply (i.e. the UK does not enact new data protection laws) and second, the UK does not exercise any of the “designated powers” (which includes, for example, authorising new contractual clauses) without the agreement of the EU.
What is the “specified period”?
This is the period from the date that the Trade and Cooperation Agreement entered into force (1 January 2021) and ends:
- On the date on which an adequacy decision in relation to the UK is adopted by the European Commission; or
- Four months after the specified period began, which can be extended by a further two months unless either the UK or EU objects,
unless during the specified period, the UK amends its applicable data protection regime or exercises the designated powers without the EU’s agreement, in which case the specified period ends at that point.
What does this mean in practice?
If you are a UK organisation and you receive personal data from the EU (whether from a controller or a processor), you can continue to receive personal data from the EU for at least a further 4 months without taking any further steps at this stage. This is likely to be extended to 6 months giving UK organisations until 30 June 2021 to put in place measures to be able to continue to receive data exports from the EU. The UK has, in effect, received a “quasi” adequacy decision at this stage.
If an adequacy decision in relation to the UK is adopted by the European Commission, EU organisations will continue to be able to send personal data to the UK without any further measures being taken. However, if there is no adequacy decision adopted by the end of the specified period, UK organisations that receive personal data from the EU will need to put in place a mechanism to enable EU organisations to continue to transfer personal data to the UK (such as standard contractual clauses).
If you send or receive personal data from the EU as part of your business practices (for example if you have an office in the EU, you have customers in the EU or you hold customer or staff data within the EU – for example data held on online platforms in Ireland or the Netherlands), you should make sure you will be able to continue to use such personal data after 30 June 2021, otherwise you could face fines or enforcement action.
Ward Hadaway regularly advises organisations in a variety of sectors on data protection law compliance issues and our team of data protection experts are experienced in dealing with personal data exports. For more details on how we can help you, or for guidance on any of the issues raised above, please get in touch.
Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.
This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.