After months of arduous negotiations, the EU-UK Trade and Cooperation Agreement (the Brexit Deal) of 24 December 2020 is good news and provides a welcome degree of certainty to businesses. The Brexit Deal sets out the framework for the UK-EU relationship effective from 1 January 2021, but what is its effect on data protection matters compared to the UK’s former membership of the EU? In this post, we take a look at each matter and provide a quick-reference summary table.
- EU-UK data transfers. The Brexit Deal maintains the current ability for personal data to flow freely from the EU (and the EEA) to the UK for up to six months. The intention is to give the European Commission sufficient time to adopt an adequacy decision in respect of the UK so that the arrangement becomes permanent.
The UK’s Information Commissioner’s Office (ICO) is nevertheless recommending that UK businesses continue to work to put in place alternative transfer mechanisms "as a sensible precaution," to safeguard against any interruption to data flows in the event that the European Commission does not adopt an adequacy decision during the six month ‘bridging period’ afforded under the Brexit Deal.
- UK-EU data transfers. Irrespective of the Brexit Deal, the UK government had already announced its intention to regard all EEA Member States as adequate for the purposes of data transfers to those jurisdictions.
- Interaction with the European data protection authorities. The ICO may no longer be part of the GDPR’s One Stop Shop mechanism. UK organisations may therefore need to identify a lead supervisory authority in the EU. The ICO is also unable to act as a lead supervisory authority for new and existing applications for Binding Corporate Rules (BCR) under the GDPR. The ICO has recently introduced and will approve UK BCRs to enable data transfers from the UK. Organisations with existing authorised EU BCRs are required to apply to the ICO for confirmation of automatic eligibility for UK BCRs.
- Appointment of an EU representative. UK-based controllers or processors that are not established in the EU but still offer goods or services to EU-based individuals or monitor the behaviour of individuals in the EU may be required to appoint an EU representative.
- Appointment of a UK representative. Similarly, non-UK based controllers or processors with no establishment in the UK that are offering goods or services to UK-based individuals or monitoring the behaviour of individuals in the UK may be required to appoint a UK representative.
- Updates to privacy notices, policies and DPIAs. Despite the Brexit Deal, UK and EU organisations are also likely to be required to make changes to privacy notices, internal policies and documentation and existing and new DPIAs to reflect the fact that the UK is no longer an EU Member State.
See here our comparison table summarising the limited effect of the Brexit Deal in terms of data protection.
Authored by Eduardo Ustaran and Katie McMullan.