There has been much uncertainty surrounding the future of data protection after the end of the Brexit transition period on 31 December 2020. Just days before the end of the period, the EU and UK government announced they had agreed to the terms of a treaty. From a data protection point of view, this is just a temporary solution. What does the agreement mean for companies?
That an agreement has been reached is first and foremost good news for companies processing personal data on both sides of the Channel: Legal data transfers would have been hindered immediately with a no-deal scenario.
According to the agreement, the EU will allow free data flows between the EU/EEA and the UK for no more than six months until an adequacy decision has been adopted. To that end, the transmission of personal data from the EU to the UK shall not be considered a third country transfer under EU law for four months, with a possible extension by another two months (unless the EU or UK object). This would allow data transfers at least until 30 April 2021, or perhaps even until 30 June 2021 under existing conditions.
This means that for now, companies as well as public bodies across all sectors, including law enforcement agencies, are allowed to continue to freely receive data from the EU/EEA, and vice versa. In that sense, companies do not need to make any immediate changes, and the EU General Data Protection Regulation (GDPR) will continue to have direct effect in the UK thus circumventing an instantaneous stop to free data flows.
What happens next?
However, please bear in mind that the current deal between the EU and the UK is not a permanent solution for data protection. It merely allows for an extended period for personal data flows with the goal of reaching an adequacy decision within that timeframe. Furthermore, the EU or the UK can object to an extension of another two months. In that case, the UK would immediately become a third country with far-reaching consequences for data transfers.
Ideally, the extended period will be replaced by an adequacy decision for the UK if the European Commission concludes that the UK can provide an adequate level of data protection. In that regard, the EU will have to consider the implications of the Schrems II decision by the Court of Justice of the European Union (CJEU), which could be seen as an obstacle to an adequacy decision, as further explained in this article.
In brief, the EU-US Privacy Shield was deemed invalid in the Schrems II decision due to the insufficient level of protection in the U.S., particularly concerning surveillance practices. As the UK applies similar surveillance practices, it is uncertain if the UK could be considered as guaranteeing a sufficient level of data protection.
The ICO suggests in a statement that as a sensible precaution, before and during this period, companies should consider alternative transfer mechanisms to safeguard against any interruption to the free flow of data. Many companies have already started taking measures since the start of the Brexit transition period on 31 January 2020, such as modifying processes or preparing Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection between the EU and the UK. However, in the recent Schrems II decision, the CJEU questioned if SCCs would suffice to safeguard an adequate level of data protection.
Please read this article for more information on the impact of Schrems II on EU-UK data transfers after the end of the transition period.
What should companies do?
There are still many uncertainties and the decision to extend the transition period is merely a temporary solution. Based on the recent development in EU data protection law, as demonstrated in the Schrems II decision by the CJEU, one cannot be sure that the EU will reach an adequacy decision. Companies should, therefore, consider alternative transfer mechanisms. That could be to consider alternative service providers within the EU, moving servers to the EU, or ensure additional data protection guarantees that can be enforced.
Nevertheless, every company has its own demands in terms of data transfers. For that reason it could be useful for you to seek individual legal advice to best suit your interests and needs.