Under the data protection law, when the UK left the EU, it became a third country, thus became subject to special requirements for data transfers in accordance with Chapter 5 of the GDPR.

For the period between February 1, 2020, when the Agreement on the Withdrawal of the UK from the EU entered into force, until December 31, 2020, the EU data protection law would continue to apply in the UK for the processing of personal data of persons from outside of the UK. For the said period, the UK would not be considered a third country within the meaning of Article 44 of the GDPR. Shortly before the end of this transitional period, the EU and the UK agreed on a Trade and Cooperation Agreement, providing a new transitional period of 4 months, starting on January 1, 2021 and ending either when the EU has adopted an adequacy decision for the UK pursuant to Article 45(3) of the GDPR, or on April 30, 2021, with the possibility to extend such deadline up to 6 months, if no party objects. Under this Agreement, the transfer of personal data from the EU to the UK will not be considered a third-country data transfer according to Article 44 GDPR.

So, what happens after the end of this transitional period? It is likely that the EU will reach an adequacy decision. Under Article 45(3) of the GDPR, the EU Commission can adopt an adequacy decision when, after detailed examination, it concludes that the level of protection for the processing of personal data in the UK is the same as that under the GDPR or that the UK otherwise ensures an adequate level of protection. To this direction, the EU Commission presented its draft Adequacy Decisions on the UK’s adequacy under the GDPR and the Law Enforcement Directive, on February 19, 2021, which are due for approval. In both cases, the European Commission has found the UK to be a secure third country for data protection purposes. These draft decisions will be considered by the European Data Protection Board and a committee of the 27 EU Member Governments. If the committee approves the draft decisions, then the European Commission can formally adopt them as legal adequacy decisions.

The main challenge for the Adequacy Decision is the compatibility of the British “Investigatory Powers Act 2016” with the GDPR. In this respect, the judgment of the ECJ of July 16, 2020 (“Schrems II”) is relevant. In that case, the ECJ declared that the Commission’s Adequacy Decision on the “Privacy Shield”, for data transfers between the EU and the USA was invalid and an adequate level of data protection could not be guaranteed. The ECJ criticized the fact that information about EU citizens on US servers could not be protected against access by US authorities and intelligence services. In the above context, the legislation of the UK regarding mass surveillance, access to devices and communication data, as well as the surveillance powers of the British secret services may not meet the level of privacy guaranteed by EU law.

If adequacy decisions are not adopted at the end of the transitional period, personal data transfers from the EU to the UK will need to comply with the provisions of the GDPR, regarding international data transfers.

The editorial team