The data protection implications of Brexit

After more than four years of negotiations following the UK’s referendum on Brexit, a Trade and Cooperation Agreement (hereinafter referred as “TCA”) was finally agreed on 24 December 2020. The TCA sets out arrangements in various areas including the processing of personal data.

Impacts on data transfers

Under the TCA which is applicable from the 1 January 2021, the EU has agreed to delay restrictions on data transfer from the EEA to the UK for an additional period maximum until June 30, 2021 (the so called bridge). This enables the transfer of personal data to the UK to flow in accordance with the GDPR without any further restrictions. Without this bridge the UK would be considered as a third country. However, if the bridge ends and by then no adequacy decision will be adopted by the EU Commission, data transfers can only take place if the requirements of the GDPR on data transfer to third countries are met.

Applicable laws

The GDPR is an EU Regulation and as of 1 January it no longer applies to the UK. However, the GDPR may also still apply to UK controllers/processors who operate in the EEA, offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. The provisions of the GDPR were incorporated directly into UK law (UK GDPR) at the end of the transition period (31.12.2020). So the core data protection principles, rights and obligations of the GDPR practically remained the same. Alongside the UK GDPR the UK Data Protection Act 2018 (DPA 2018) continues to apply in the UK and also for controllers/processors based outside the UK if their processing activities relate to the offering goods or services to individuals in the UK or monitoring the behaviour of individuals taking place in the UK.

Competent authority for cross-border issues

For any EU-UK cross-border disputes UK controllers/processors, in order to benefit from the one-stop shop mechanism of the EU, from 1 January 2021, will need to have a principal establishment in the EU.

EU representative

As of 1 January 2021, UK controllers/processors, who are subject to the GDPR, are required to appoint a "representative" in the EU.

Adequacy decision

Also, the UK is covered by the requirement of adequacy where to third countries must provide of an adequate level of data protection if personal data from the EEA will be transmitted. Hence, the data protection safeguards in place in a third country must provide the same levels of safeguards that apply in the EU for the protection of personal data.  You need to consider what alternative safeguards you can put in place to ensure that data can continue to flow into the UK for being prepared if no adequacy decision will be rendered by the European Commission.

Autor: Tommaso Olivieri