We’ve all been waiting with bated breath to see whether the EU will allow EU-to-UK data transfers to enjoy the pre-Brexit freedoms we have all become used to.
The journey isn’t over yet but the Commission has just published a draft ‘Decision’ which, if approved by both the European Data Protection Board (which will need to give its “opinion”) and a committee of the European Parliament will mean that businesses handling regular EU-UK processing can relax a little, safe in the knowledge that the UK’s data protection regime is still on a par with that of the EU.
This is perhaps not surprising given that the new “UK GDPR” is based on “retained EU legislation”. But, in politics, of course, nothing is ever quite certain.
Just to give you some of the history and an insight into how these things are handled in Brussels, here are some extracts from the Commission’s draft legal text.
“As of 1 January 2021, transfers of personal data to the United Kingdom are governed by the EU-UK Trade and Cooperation Agreement (TCA), agreed by EU and UK negotiators on 24 December 2020 and provisionally applicable since the first day of the year. The [TCA] provides for an interim regime (so-called ‘bridging clause’, enshrined in Article FINPROV.10A of the TCA) that ensures the full continuity of data flows between the EEA and the UK, with no need for companies and public authorities to put in place any transfer tool under the GDPR… This solution is applicable for a period of maximum six months, and is conditional on the commitment by the UK not to change the data protection regime currently in place. In essence, this means that the UK must continue to apply the data protection rules, based on EU law, that were applicable during the transition period.”
Draft Article 1 of the proposed Decision would therefore read-
For the purposes of Article 45 of Regulation (EU) 2016/679 [GDPR], the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom. “
So it’s a step in the right direction and one that suggests we perhaps won’t have to resort to the costly and time- consuming burden of putting in place Standard Contractual Clauses or Binding Corporate Rules (BCRs) as the alternative means ensuring adequate protections for data.
Over now to the EDPB and European Parliament for what we hope might be a fairly prompt confirmation of the Decision.
Tim Heywood FRSA is a Partner at Gunnercooke llp specialising in data protection, cyber and information law.
The contents of this note are intended for general guidance purposes only and are not legal advice. No reliance should be placed on the guidance and we accept no liability for any reliance placed upon it. Specific legal advice should always be obtained in relation to your particular circumstances.