UPDATED: Some breathing space for GDPR in the Brexit trade agreement

Image of Brexit jigsaw with UK piece removed

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Jan 4th 2021 UPDATE: It turns out that the UK-EU Trade Agreement and the delay to EU to UK restricted data flows (i.e. the decision on adequacy) only affects EU to UK data flows. It does not affect any other aspect of extra-territorial reach of GDPR, so (and the post below is updated at the end to reflect this), this means now that the Brexit transition period has ended:

  • You don’t need to worry about having Standard Contractual Clauses in place until a decision is made about UK adequacy
  • You do still need to put in place an EU Representative if you are selling products and services to EU individuals
  • You do still need to worry about the loss of the one-stop-shop approach to the appropriate authority

So, it would seem that the ICO’s statement on 28th December, which included the sentence “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices” isn’t as broad as I first thought!

— update ends —

On Christmas Eve (2020) the UK government reached a trade agreement with the EU.

There has been over the last year of the Brexit transition (which ends on the 31st December) concern about what this means for data protection compliance. As I’ve posted before  this essentially means from 1st January 2021, organisations that process EU data are likely to be impacted:

  • Lack of an adequacy decision could mean the need for Standard Contractual Clauses between UK data controllers and EU data processors
  • UK businesses targeting products and services to EU individuals or monitoring EU individuals’ behaviours may need to appoint an EU representative
  • UK businesses that process data of EU citizens are likely to be answerable to ICO and other EU equivalents (i.e. the loss of the so called “one stop shop”)

Title III, Article DIGIT.6 and Article DIGIT.7, of the agreement specifically address cross-border data flows and the protection of personal data and privacy. Plus Article DIGIT.14 relates to controls over unsolicited direct marketing. But, actually data protection related commentary is spread throughout the agreement (and difficult to find without working your way through he agreement).

Some breathing space for GDPR

Overall, there are no surprises. Each party, recognises the need for data protection, but for it not to hinder trade and protect citizens from unsolicited marketing. When it comes to an agreement around UK data protection adequacy (the EU test that UK data protection law protections EU citizens’ data in the same way EU GDPR does) you have to look in the separate Declarations:

DECLARATION ON THE ADOPTION OF ADEQUACY DECISIONS WITH RESPECT TO THE UNITED KINGDOM

The Parties take note of the European Commission’s intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK under the General Data Protection Regulation and the Law Enforcement Directive, and its intention to work closely to that end with the other bodies and institutions involved in the relevant decision-making procedure.

A grace period for GDPR compliance

For the time being, the most important bit in the Agreement though, is “Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom” which sets out that for a “specified period“:

transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law

This is providing the UK does not renege on its current agreement to adopt EU GDPR into UK law.

The “specified period” runs from 1st January 2021 for up to 4 (although can be extended to 6) months unless an adequacy decision is reached before that time.

So, what does this mean from 1st January 2021?

So, it seems that work is still afoot for determining UK adequacy. If adequacy is achieved then transfers to the UK of EU data will not be restricted and the Standard Contractual Clauses will be needed. But EU representatives and potentially the loss of a regulatory authority “one stop shop” are likely to remain, so if you haven’t already you will need to consider (if you’re impacted) how you’re going to appoint such a representative.

However, there is no certainty about when we’ll see an adequacy decision and it seems there is still a risk that after 4 months (or maybe 6) no adequacy materialises and we’re back to needing those Standard Contractual Clauses as well as everything else.

So, what does this mean for you in the interim?

  • Everything continues as it has been under the Brexit transition until either 4 months is up or an adequacy decision is reached meaning:
    • You don’t need to worry about Standard Contractual Clauses
    • You still need to worry about EU representation
    • You still need to worry about the loss of the “one stop shop” regulatory regime

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy