11th January 2021

(Keep On) Going With The Flow

From 1 January 2021, the UK was out of the European Union and the transition period came to an end.  A lot of businesses had been worried about the lack of certainty on data transfers in and out of Europe from this date but fears that the free flow would end have been allayed (for the time being) with the Trade and Cooperation Agreement (the Agreement). 

Can We Still Transfer Data?

The UK now has an independent data protection regime and the GDPR has now been saved into the UK as a retained EU law.  Going forward, it will be renamed the UK GDPR, which means from 1 January 2021 for the most part the UK data protection law will be the same as before.  The Agreement has also created an extended transition period for data protection laws lasting up to a maximum of six months during which time the UK will not be considered a third country.  The hope is this extension will give the European Commission time to confirm if the UK has suitable data protection rules in place to be granted an “adequacy” status.  The initial extension started on 1 January and runs until an adequacy decision is made or for 4 months, but this can be extended by a further 2 months unless the EU or the UK objects. 

What does this mean for transferring data?  During the extension period, businesses in the UK can continue to transfer data in and out of Europe as before, without needing to put additional safeguards in place. 

This of course only applies to data transfers with the EEA countries, so businesses should continue to look at arrangements in place for non-EEA countries and check there are appropriate provisions in place to ensure the safe transfer of data.  This means businesses should ensure there is an adequacy decision or other appropriate safeguards are in place (like contractual clauses or binding corporate rules).  Particular thought should be given to any UK-US transfers given the invalidation of the US Privacy Shield last year.

What Does Adequacy Mean?

If the UK is granted an adequacy status, it means that there is no requirement for EEA countries to put in place additional safeguard measures for transfers of data to the UK.  The most common safeguard measures would be standard contractual clauses or binding corporate rules.  If there is no adequacy granted to the UK, European businesses dealing with UK businesses will look for these safeguard measures to be in place to comply with GDPR. 

For data going the other way, into Europe from the UK, the UK Government has confirmed that transfers can continue without any additional measures being needed but this is being reviewed regularly (although expected to last until December 2024 at least).

What Should We Be Doing?

The work done to date by businesses is not wasted even if it has related to a potential “no deal” scenario.  While it is hopeful that the UK will get an adequacy finding, it is not guaranteed and the ICO is continuing to advise business to make sure additional safeguards are in place as a precautionary measure to ensure there is no interruption to the flow of data in or out the UK and the EU. 

Businesses should use the next few months to review contracts, policies and procedures to ensure they will be fit for purpose at the end of the extended transition period.  An obvious change that could be needed is the update to confirm the UK is no longer an EU member state and not subject to the GDPR.  Definitions should be amended to include the UK GDPR and any territory references should cover both EU and UK.  

Do We Need EU Representation?

One area which businesses may not have considered, or may have placed lower down the list until there was a bit more certainty on the Agreement, is the need to appoint an EU Representative at the end of the extension period.  If you are a UK based business and you either (i) offer goods or services to individuals in the EEA or (ii) monitor individual’s behaviour, you should ensure you have a branch or establishment in the EEA or appoint an EU Representative. 

An EU Representative would be responsible for working with the relevant data protection authority in the EEA (depending on where you appoint them), act as a port of contact between EU individuals and your business and help manage your data processing record (as required under Article 30 of the GDPR).  The EU Representative should be in a relevant country so businesses should look at where customers are based and look to appoint a representative in the most appropriate country. 

It is also worth remembering there is a similar provision within the UK GDPR so a business based outwith the UK may need to appoint a UK representative.

Conclusion

The Agreement does provide some much-needed clarity on the immediate position and will hopefully allow an appropriate decision to be reached on the UK’s adequacy going forward.  We have been given a little more time, with a better indication that both sides are hoping to maintain the status quo, but businesses should not sit back and assume an adequacy finding will be granted; the saying “plan for the worst, hope for the best” still stands true.  That said, there is a clear emphasis on high data protection standards on both sides so businesses in the UK cannot go wrong by continuing to operate with the GDPR principles in mind and put individual’s privacy rights at the heart of any decision making relating to personal data.

Who To Contact?

If you need any advice about data protection generally, or Brexit and its implications, please get in touch with Blackadders’ Corporate & Commercial Team (working in Aberdeen, Dundee, Edinburgh, Glasgow, Perth and across Scotland).

Ruth Weir, Associate Solicitor
Corporate & Commercial
Blackadders LLP
@CorpLawyerRuth

www.blackadders.co.uk

The opinions expressed in this site are of the author(s) only and do not necessarily represent the opinions of Blackadders LLP.

Blackadders takes all reasonable steps to ensure that the content of this site is accurate and up to date. The site is not, however, intended as a substitute for seeking legal or other professional advice but rather as an informative guide to the services provided by Blackadders and topical legal developments. Site visitors should always seek advice tailored to their specific situation. Consequently, Blackadders accepts no responsibility for any loss or damage suffered by anyone acting or failing to act on the basis of information contained on this site. Downloading of material contained on this site is at the user’s own risk and all necessary virus checks must first be carried out by the user. Blackadders is not responsible for the material found on any web sites linked to this one and links to this site may only be made with Blackadders prior consent.

Copyright

Blackadders owns the copyright in this blog and all material contained on it. The material on this site may be downloaded for personal use only and must not be altered. Otherwise, Blackadders’ written consent is required before any material on this site is reproduced, copied or transmitted in any way.

Privacy Statement

Information passed to us via this site is kept confidential and will not be disclosed to third parties except if authorised by you or required by law.

© Blackadders LLP 2022

Members of the Law Society of Scotland.

Blackadders Solicitors is a trading name of Blackadders LLP, a limited liability partnership, registered in Scotland No SO301600 whose registered office is 30 & 34 Reform Street, Dundee, DD1 1RJ. Reference to a ‘partner’ is to a member of Blackadders LLP.

Back to Business Legal News from Blackadders Solicitors