16 April 2021
On 24 December 2020, the European Union (EU) and the United Kingdom (UK) entered into the EU-UK Trade and Cooperation Agreement. This set out the terms and conditions on which trade would continue to operate following Brexit and the UK’s exit from the Internal Market.
In doing so, the EU and UK also affirmed their commitment to ensuring high level protection to personal data and their responsibility in promoting high international standards. This is particularly relevant since the UK has, as from 31 December 2020, become a ‘third country’ within the meaning of the General Data Protection Regulation (GDPR).
In principle, transfers of personal data from the EU/European Economic Area (EEA) to third countries should only be lawful if an adequate level of data protection can be guaranteed. This is typically so if there is an adequacy decision of the Commission relating to the said country or through standard contractual clauses (SCC).
However, the EU-UK Trade and Cooperation Agreement has provided for an additional four-month period, with the possibility of a two-month extension. Within this period, transfers of personal data between the EU/EEA and the UK would not require any additional safeguards, and would not be considered as a transfer to a third country. Following the expiry of said six-month period, entities transferring data to the UK would then be expected to also comply with these additional safeguards unless an adequacy decision is reached.
The EU and UK have jointly declared their intention to adopt and put in place an adequacy decision. A draft adequacy decision has been prepared by which the Commission is to allow the free movement of personal data to and from the EEA and UK.The European Data Protection Board (EDPB) has reviewed the draft and issued its opinions.
Although the EDPB’s opinions are not binding on the Commission’s decision, they are expected to be given careful consideration. For the Commission’s decision to eventually become final, though, a committee of representatives of EU Member States must issue a positive decision in its regard.
In the event that no adequacy decision is reached before the expiry of the transitional period, organisations transferring data to the UK will need to apply for additional safeguards to personal data, ensuring the same protection as that under the GDPR, such as through the insertion of SCC.
Organisations must also recognise that other factors may come into play given that new arrangements may be required due to Brexit, especially the simultaneous application of the GDPR and the UK’s version thereof, the United Kingdom General Data Protection Regulation (UK-GDPR). The UK-GDPR automatically recognised all EU countries as adequate, along with also recognising all existing EU adequacy decisions as UK adequate. This means that UK-GDPR will apply to EU Member States in the same way that the GDPR will be applying to the UK.
If your organisation has close business relations with UK-based entities which requires constant data flow between the EU and the UK it is important to take note of these developments. For further information regarding our services relating to GDPR, visit our page on General Data Protection Regulation.
Tax Partner, PwC Malta
Tel: +356 2564 6744