Personal data flows from the EU: an update

As the end of the transition period loomed, concerns were raised on how personal data flows could continue into and out of the EU from the UK once the UK’s transition period came to an end. The EU’s data protection regime contains formal requirements for transfers of personal data to countries outside the EEA together with stiff fines and enforcement mechanisms for those who don’t comply.

The Trade and Cooperation Agreement provides that for the duration of the “specified period”, transmission of personal data from the EU to the UK will not be considered a transfer to a third country under EU law. However there are caveats to this: first, the data protection law of the UK on 31 December 2020 continues to apply (i.e. the UK does not enact new data protection laws) and second, the UK does not exercise any of the “designated powers” (which includes, for example, authorising new contractual clauses) without the agreement of the EU.

What is the “specified period”?

This is the period from the date that the Trade and Cooperation Agreement entered into force (1 January 2021) and ends:

• On the date on which an adequacy decision in relation to the UK is adopted by the European Commission; or
• Four months after the specified period began, which can be extended by a further two months unless either the UK or EU objects,

unless during the specified period, the UK amends its applicable data protection regime or exercises the designated powers without the EU’s agreement, in which case the specified period ends at that point.

What does this mean in practice?

If you are a UK organisation and you receive personal data from the EU (whether from a controller or a processor), you can continue to receive personal data from the EU for at least a further 4 months without taking any further steps at this stage. This is likely to be extended to 6 months giving UK organisations until 30 June 2021 to put in place measures to be able to continue to receive data exports from the EU. The UK has, in effect, received a “quasi” adequacy decision at this stage.

If an adequacy decision in relation to the UK is adopted by the European Commission, EU organisations will continue to be able to send personal data to the UK without any further measures being taken. However, if there is no adequacy decision adopted by the end of the specified period, UK organisations that receive personal data from the EU will need to put in place a mechanism to enable EU organisations to continue to transfer personal data to the UK (such as standard contractual clauses).

If you send or receive personal data from the EU as part of your business practices (for example if you have an office in the EU, you have customers in the EU or you hold customer or staff data within the EU – for example data held on online platforms in Ireland or the Netherlands), you should make sure you will be able to continue to use such personal data after 30 June 2021, otherwise you could face fines or enforcement action.

Ward Hadaway regularly advises organisations in a variety of sectors on data protection law compliance issues and our team of data protection experts are experienced in dealing with personal data exports. For more details on how we can help you, or for guidance on any of the issues raised above, please get in touch.