36: Transfers and the end of the transition period

The Withdrawal Agreement maintained the effect of the GDPR in the UK and permitted personal data to remain being transferred between the EEA and UK (and vice versa) during the transition period in the same manner as if the UK remained a member of the EU. However at the end of the transition period, if no adequacy decision is issued by the EU Commission, the UK would become a ‘third country’ under the GDPR and any transfer of personal data between the UK and EEA would need to adhere to the transfer restrictions.

The European Union (Future Relationship) Act 2020 implementing EU–UK Trade and Cooperation Agreement has extended the transition period such that the UK will not be considered as a transfer to a third country under EU law for four months from 31 December 2020. This period shall be extended by two further months, unless the EU or the UK object or, if earlier, until there is an adequacy finding for the UK.

The ICO has been clear that data controllers need to consider what GDPR safeguards they can put in place to ensure that data can continue to flow into the UK if an adequacy decision isn’t issued. The UK has already confirmed that transfers out of the UK to the EU will be treated the same as transfers within the UK.

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 were published on 17 December 2020. The purpose of these was to ensure that the necessary amendments to the UK’s data protection legal framework were made before the transition period ended and to make changes which echo recent developments in the EU.

One of the key changes in the Regulations is designed to reflect the July 2020 decision in Schrems II (Data Protection Commissioner v Facebook Ireland Ltd) (European Court of Justice). The original Schrems decision in 2015 declared that the ‘Safe Harbor’ provisions for sharing data with the US were invalid. In 2016 the European Commission adopted the Privacy Shield to replace this framework. The ECJ have now declared that the Privacy Shield is also invalid (although standard contractual clauses can still be used as an alternative). We discuss this and the restrictions on transfers in more detail in the firm’s previous blog.

The Regulations also enable binding corporate rules that pre-date the GDPR coming into force and that were authorised by a supervisory authority other than the ICO to continue to be relied on in certain circumstances. The ICO has published guidance for those organisations who currently rely on EU binding corporate rules as an appropriate safeguard for international transfers from the EEA.

Trustees may want to consider undertaking a review of their data policy and third party agreements and consider how data flows in and out of the UK. There have been other important developments since the GDPR came into force in 2018 which are likely to mean a pension scheme’s data protection documentation requires a more general update, we can help with this.

We will be hosting a webinar on 25 February 2021 discussing the end of the transition period, transfer issues and more. Details will be published here closer to the time.