Brexit: How does data transfer between the EU and the UK work?
Brexit entails an exit in stages in terms of data protection regulations. It was and is, therefore, characterised by transitional arrangements.
What arrangements have been made so far?
The UK continued to be treated as an EU member until the end of 2020, with the result that cross-border data traffic could be handled on the basis of the General Data Protection Regulation (GDPR).
What will happen this year?
The EU and the United Kingdom have agreed on the ground rules for future cooperation under a Trade and Cooperation Agreement (TCA) for a further transitional period.
The TCA provides that current data transfers will be governed by the Data Protection Act 2018, i.e., national data protection law in the UK, and a new, adapted GDPR, the “UK GDPR”. This largely corresponds to the version of the GDPR that applies within Europe. Data transfers to the UK will therefore continue to be possible during the transition period as if the country were still in the EU.
Can mass senders of commercial emails currently stay calm and sit back?
The application of the transitional regime of the TCA is subject to a number of conditions. The UK must not change its data protection laws or engage in acts that effectively change the level of data protection that currently exists. If the UK were to violate this, data transfers from the EU to the UK would immediately be considered cross-border transfers to an unsafe third country under Art. 44 et seq. GDPR. As a result of this regulation, there is still legal uncertainty for EU data exporters, as the transitional provision could end at any time and without notice for data transmitters and processors.
When do the transitional arrangements end and what comes after that?
The EU’s goal is to present a so-called adequacy decision by the end of June this year at the latest, stating that the level of data protection in the UK is comparable to that in the EU. The decision is currently being negotiated, a first draft from the Commission is already available. Soon the European Data Protection Board EDPB is to issue an opinion.
What happens if the adequacy decision does not come about?
In this case, senders could make use of the so-called Standard Contractual Clauses (“SCCs”) provided by the EU Commission. The problem here, however, is that the SCCs are being revised following the ruling of the European Court of Justice on the EU/US Privacy Shield. (see also our blog articles: Outlook for 2021 – What will keep us busy in the coming year? Part 2: New EU-US data transfer pact? and What to do after the toppling of the EU-US Privacy Shield?
The draft adequacy decision by the EU Commission can make senders of commercial emails cautiously optimistic. Nevertheless, further developments must be closely monitored so that, if necessary, standard contractual clauses can be used flexibly. Therefore, senders should have a plan B for the implementation of SCCs in their back pockets.