The Christmas Eve deal or keeping up appearances: the transfer of personal data after the Brexit
On 23 June 2016, the British decided in a referendum to leave the EU. This was barely a month after the entry into force of the GDPR. More than 4 years later, after one deadline following another, the separation is finally complete. The Christmas Eve deal of 24 December 2020 seals the orderly exit of the UK from the EU. Or wait. Not quite. After all, the GDPR is still to be decided. Within four months. Perhaps 6. Who knows?
International transfer of personal data
From the summer of 2020, personal data and their transfer across international borders were in the news. The Court of Justice of the EU (ECJ) placed a bomb under such transfers in the Schrems II judgment by invalidating the privacy shield. And in October, in a ruling on the UK (and French and Belgian) government’s supervisory arrangements, the same ECJ further shaped the way policymakers should evaluate data protection arrangements.
At the same time, there was no prospect of an orderly Brexit. In the midst of general organisational and economic concerns about a possible hard Brexit, there were also some voices highlighting the international transfer problems surrounding the United Kingdom’s exit. After all, from a continental European perspective, hue and cry began about data transfers to the US, but the UK is, of course, a much closer neighbour.
After all, it was not so clear whether the transfer of personal data from the EEA to the UK could proceed just as seamlessly after the Brexit transitional period without additional measures. Indeed, unless the European Commission took an ‘adequacy decision’ in relation to the UK by 31 December 2020 (or some other form of agreement was reached), EU/EEA organisations that transfer personal data to organisations in the UK (or give them access to the data) would breach the GDPR.
No room for manoeuvre for the EU
The fact that the UK would become a ‘third’ country to the EU is an obvious consequence of the Brexit. However, the impact of this on the transfer of personal data has not received the necessary attention by a long shot.
When it began to dawn, it was suggested that only 2 solutions were possible: either a derogation was agreed by the ultimate deadline (the “adequacy decision” type), or the parties involved in such transfers would have to take alternative measures to enable such data transfers. In any case, in the light of the ECJ rulings of the 2nd half of 2020, the European Commission’s (and parties involved in data transfers) room for manoeuvre was very limited.
Let us decide not to decide
The Christmas Eve deal, finally concluded between the UK and the EU on 24 December 2020, gave many people a sense of relief. Even without knowledge of the 1,259-page document, it was clear that such an agreement was better than no agreement.
However, anyone who, in addition to answers to other pressing issues, was looking for a solution to the data transfers is deceived: on page 414, negotiators agree that, for a further period of time, the UK will will not be regarded as a third country (and everything will remain the same, even if the UK has now left the EU).
At least for as long as the UK does not change its legislation. And pending an adequacy decision by the European Commission within 4 months. A period which, moreover, can be extended by a further 2 months.
In this way, uncertainty will be maintained and our businesses will be looking to the end of June for a new deadline. Anyone who likes to make decisions will in any case remain hungry.
Does your company transfer personal data to the UK? And do you have any questions about the best strategy to follow in this regard? Contact us at firstname.lastname@example.org.
Written by Duygu Öztürk, CIPP/E, Privacy Chair theJurists, and Kris Seyen, Partner theJurists.