The new 1,246-page Trade and Cooperation Agreement (TCA) between the United Kingdom and the European Union has ended the suspense over what restrictions will apply to the transfer of personal data between the EU and the UK now that the Brexit transition period has run its course. As expected, the UK has chosen to allow UK personal data to be transferred to the EU freely on the basis that the EU’s GDPR provides adequate protection for the transferred data. But the EU has not yet agreed that EU personal data can be transferred freely to the UK.
Instead, a grace period of four to six months will apply to EU to UK transfers while the European Data Protection Board and European Commission evaluate whether the UK’s Data Protection Act 2018 provides adequate protection to EU personal data. On its face, this looks like an easy call to make since the UK’s Data Protection Act 2018 literally incorporates the EU GDPR. However, now that the UK is no longer in the EU, it’s possible that EU decision-makers will raise objections on the basis of the UK’s national surveillance laws, as they have in the case of the US. So a reciprocal adequacy decision is not guaranteed.
That leaves organizations that want to transfer personal data from the EU to the UK with a minor dilemma – should they work on the assumption that, before the end of the grace period, the EU will decide that UK data protection laws are adequate, or plan for the worst? The UK ICO has recommended that organizations start taking steps now to put “alternative safeguards” in place to ensure that data transfers can continue uninterrupted in the event that the EU does not reach a positive decision before the end of the grace period.
The most commonly used alternative safeguard is the Standard Contractual Clauses (SCCs) – form contracts that have been approved by the European Commission. But the SCCs themselves are currently under review by the Commission, which raises the next question: Use the current SCCs, or wait a few weeks – or more – to see if the Commission has approved the new SCCs? (See our previous blog post here discussing the new SCCs.) Unfortunately, we don’t know yet when we can expect a Commission decision adopting the new SCCs.
The downside of using the current SCCs is that if the EU does not grant the UK an adequacy decision, then parties to the current SCCs will need to put the new SCCs in place within one year of their adoption – so you will go through the entire SCC exercise twice within a year or so. The downside of waiting to see if the new SCCs are approved is that waiting will shorten the time left before the end of the data transfer grace period, so you could end up in a last minute scramble to get SCCs in place. Either way, there will be some time and effort involved – and a small gamble one way or the other.
If you have any questions or concerns, please contact the Mintz Privacy & Cybersecurity team or your usual Mintz contact.