Amongst the (many) uncertainties linked to Brexit, its potential restrictive impact on data transfers between the European Economic Area (EEA) and the UK was an important one for all businesses with cross-border activities.
The EU-UK Trade and Cooperation Agreement (the Brexit deal) adopted last December has brought a temporary answer to it. It allows EEA firms to continue transferring personal data to the UK under the same rules as before Brexit, and this, for a period of four months (extendable to six months) known as the “Bridge”.
As a result of Brexit, UK has officially left the European Union since 1 January 2021.
Under the General Data Protection Regulation (GDPR), data transfers outside the EEA are only allowed if:
- the third country concerned has been the subject of an adequacy decision, i.e. the European Commission’s decision that the third country concerned ensures an adequate level of protection, or
- in the absence thereof, if the transfer is accompanied with safeguards guaranteeing adequate protection of the personal data transferred. These transfer mechanisms may take different forms, but they all require additional measures compared to transfers within the EEA – which all EEA firms have not yet implemented. Besides, since the CJEU’s decision of last summer in the Schrems II case, the conditions to implement the most commonly used of those measures, the standard contractual clauses, have been questioned, increasing the complexity and the level of uncertainty regarding non-EEA transfers.
Before the Brexit deal, since no adequacy decision on the UK had been adopted, transfers of personal data from the EEA to the UK after 31 December 2020 should have carried out an additional transfer mechanism that international businesses should potentially have had to implement on short notice.
Thanks to the Brexit deal, this issue has been temporarily resolved by creating the Bridge.
Under the Bridge, for a limited time, personal data transfers from the EEA to the UK will not be considered as transfers outside the EEA. In practice, during this period, businesses can keep transferring personal data from the EU to the UK under the same rules as before Brexit.
That temporary regime will normally apply for a period of four months, automatically extended to six months unless the EU or the UK objects. This regime may end earlier if the European Commission adopts an adequacy decision for the UK in the meantime – in which case the temporary regime will no longer be needed.
This regime is subject to strict conditions, for example, the continued application of the UK data protection law as at 31 December 2020. If these conditions are not met, the Bridge could end prematurely.
All eyes are now turned to the European Commission and a possible adequacy decision regarding the UK. It seems to be the next logical step but is in no way guaranteed.
Should the European Commission take such a decision, entities with cross-border activities will be able to continue transferring personal data from the EEA to the UK without having to implement the additional transfer mechanisms.
If no adequacy decision is adopted by the end of the Bridge period, all personal data transfers from the EEA to the UK will become transfers to a third country, triggering the obligation to implement the appropriate safeguards for data transfers to third countries as required by the GDPR.
We will keep you posted, stay tuned!