Brexit deal & data transfers: a temporary relief
22/01/2021

Amongst the (many) uncertainties linked to Brexit, its potential restrictive impact on data transfers between the European Economic Area (EEA) and the UK was an important one for all businesses with cross-border activities.

The EU-UK Trade and Cooperation Agreement (the Brexit deal) adopted last December has brought a temporary answer to it. It allows EEA firms to continue transferring personal data to the UK under the same rules as before Brexit, and this, for a period of four months (extendable to six months) known as the “Bridge”.

 

THE CONTEXT

As a result of Brexit, UK has officially left the European Union since 1 January 2021.

Under the General Data Protection Regulation (GDPR), data transfers outside the EEA are only allowed if:

the third country concerned has been the subject of an adequacy decision, i.e. the European Commission’s decision that the third country concerned ensures an adequate level of protection, or
in the absence thereof, if the transfer is accompanied with safeguards guaranteeing adequate protection of the personal data transferred. These transfer mechanisms may take different forms, but they all require additional measures compared to transfers within the EEA – which all EEA firms have not yet implemented. Besides, since the CJEU’s decision of last summer in the Schrems II case, the conditions to implement the most commonly used of those measures, the standard contractual clauses, have been questioned, increasing the complexity and the level of uncertainty regarding non-EEA transfers.

Before the Brexit deal, since no adequacy decision on the UK had been adopted, transfers of personal data from the EEA to the UK after 31 December 2020 should have carried out an additional transfer mechanism that international businesses should potentially have had to implement on short notice.

Thanks to the Brexit deal, this issue has been temporarily resolved by creating the Bridge.

THE BRIDGE

Under the Bridge, for a limited time, personal data transfers from the EEA to the UK will not be considered as transfers outside the EEA. In practice, during this period, businesses can keep transferring personal data from the EU to the UK under the same rules as before Brexit.

That temporary regime will normally apply for a period of four months, automatically extended to six months unless the EU or the UK objects. This regime may end earlier if the European Commission adopts an adequacy decision for the UK in the meantime – in which case the temporary regime will no longer be needed.

This regime is subject to strict conditions, for example, the continued application of the UK data protection law as at 31 December 2020. If these conditions are not met, the Bridge could end prematurely.

WHAT’S NEXT?

All eyes are now turned to the European Commission and a possible adequacy decision regarding the UK. It seems to be the next logical step but is in no way guaranteed.

Should the European Commission take such a decision, entities with cross-border activities will be able to continue transferring personal data from the EEA to the UK without having to implement the additional transfer mechanisms.

If no adequacy decision is adopted by the end of the Bridge period, all personal data transfers from the EEA to the UK will become transfers to a third country, triggering the obligation to implement the appropriate safeguards for data transfers to third countries as required by the GDPR.

We will keep you posted, stay tuned!

***

For any question, please contact Simont Braun’s Digital Finance Team: [email protected] – +32 (0)2 543 70 80

Voir aussi : Simont Braun

[+ http://www.simontbraun.eu]


Tous les articles Droit Européen

Derniers articles Droit Européen

European Commission unveils its 'Fit for 55' package
23/07/2021

On Wednesday 14 July 2021, the European Commission took a major step to accomplish its ambitious goal of making Europe the...

European Commission unveils its 'Fit for 55' package Read more

Draft revised vertical regulation and guidelines
22/07/2021

The European Commission takes a hard line against online platforms, dual distribution and MFNs

Draft revised vertical regulation and guidelines Read more

EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand?
19/07/2021

The interplay between merger enforcement and privacy policy has recently attracted significant attention. The key question...

EU and US Merger review and privacy law: Does the Google/Fitbit decision draw a line in the sand? Read more

General Court of the CJ annuls State aid decision in Amazon case
13/07/2021

The case concerned the arm’s length nature of a royalty paid by a Luxembourg operating company (LuxOpCo) to a L...

General Court of the CJ annuls State aid decision in Amazon case Read more

LexGO Network