Since the UK left the EU on 31 January 2020, transfers of personal data between the UK and the EEA have continued to be permitted under temporary provisions. In a positive step, the European Commission has formally launched the procedure for the adoption of an adequacy decision which would permit the free flow of personal data from the EEA to the UK on a more permanent basis. Here, we summarise what this means for UK employers.
Why does the UK need an adequacy decision?
By way of reminder, the data protection regime established by the European General Data Protection Regulation (EU GDPR) restricts international transfers of personal data on the basis that other countries may not offer a sufficient level of data protection. The EU GDPR only permits transfers of personal data outside the EEA (i.e. the 27 EU countries plus Iceland, Liechtenstein and Norway) if the country or territory to which the data is transferred has received an ‘adequacy decision’, additional safeguards (such as standard contract clauses, or binding corporate rules) are put in place, or an exception applies. (Note too that employers also have to provide information about restricted transfers and applicable safeguards in their privacy notices.)
These restrictions on international transfers have the potential to interrupt data flows and be disruptive to business. For example, if you are part of a multinational corporate group with companies in the UK and across the EEA, operating a centralised HR portal, you and the other companies in your group will be constantly sending and receiving personal data across borders.
Since exceptions are only rarely applicable, it is much easier for an employer in an EEA country to transfer personal data to a third party in a non-EEA country when there is an adequacy decision in place, as it removes the need for potentially complex additional safeguards.
On what basis can EEA organisations currently transfer personal data to the UK?
Fortunately, for the time being at least, personal data can still flow freely from the EEA to the UK under the ‘bridging’ provision in the Trade & Co-operation Agreement between the EU and the UK. This provision allows transfers of personal data from the EEA to the UK to continue unrestricted for up to six months (i.e. until the end of June 2021) while the EU Commission considers the adoption of an adequacy decision in respect of the UK. (The ICO has nonetheless indicated that it would be a sensible precaution for companies which work with and receive personal data from EEA organisations to put in place alternative safeguards in order to protect against any interruption to the free flow of personal data from the EEA to the UK, should an adequacy decision not be granted.)
Launch of the UK adequacy process
As noted above, the European Commission formally launched the procedure for the adoption of an adequacy decision on 19 February, by publishing a draft adequacy decision in respect of the UK. As explained in the Commission’s press release, the draft decision will now need to be considered by the European Data Protection Board, which will give a non-binding opinion on it, and to be approved by a committee composed of representatives from EU Member States. It is only once that process has been completed that the Commission can adopt the adequacy decision.
What are the longer term implications?
If adopted, the adequacy decision would initially be valid for four years, after which it can be renewed if the Commission considers that the level of protection for personal data in the UK remains adequate. It is also possible that the adequacy decision could be subject to legal challenge, for example by privacy activist groups (as was the case for the US Privacy Shield in July 2020 – see more here), which would create renewed uncertainty in this area.
Despite the potential for some further difficulties in the future, for now the publication of the draft decision is a positive step which seems to make it more likely that the Commission will grant the UK a formal adequacy decision before the end of the six month ‘bridging’ period under the Trade & Co-operation Agreement.
This will be welcome news for UK employers that receive personal data from third parties in the EEA, as it reduces the likelihood that alternative safeguards will ultimately be needed to facilitate the continued flow of such data.
What about transfers of personal data from the UK to the EEA?
Post-Brexit, the UK GDPR (i.e. the EU GDPR as it has been incorporated into UK law) restricts transfers of personal data outside the UK. However, personal data can flow freely from the UK to the EEA as the UK Government has recognised the adequacy of data protection provisions in EEA countries. Such recognition was granted on an interim basis in preparation for the end of the transition period, but currently remains in place and is not expected to be revoked.
How we can help
Our upcoming webinar, GDPR in 2021: key issues for HR, will cover the impact of the UK’s exit from the EU following the end of the transition period in more detail. It will also address key issues such as recent ICO guidance on subject access requests (SARs), handling personal data securely in the context of remote/home-working and the ongoing management of Covid-19 related health data. The webinar will take place on the morning of Tuesday 23 March. For more information and to book your place, click here.
Make UK have produced a set of Essential GDPR Templates for HR, which contains the HR ‘must have’ documents required for GDPR compliance, including template employee and job applicant privacy notices, a data protection policy, employee data retention process and more. These documents have just been updated to reflect the end of the transition period and various recent changes to ICO guidance. For further information and to purchase the template documents, please contact Laura Heggs (firstname.lastname@example.org).
Make UK members also have access to our online HR & Legal Resources, which include extensive guidance on the GDPR and employers’ data protection compliance obligations. If you are a Make UK member, click here to view these resources. If you are interested in becoming a Make UK member, please contact email@example.com.