The Agreement explicitly prohibits data localisation requirements. This means that requirements to store or process data in a certain location cannot be imposed, which helps to facilitate the cross-border flow of data by preventing such costly obligations from falling on UK businesses.

Furthermore, at the end of the transition period, the European General Data Protection Regulation (GDPR) was implemented into UK law as the UK GDPR. The UK GDPR stands on equal footing with the UK Data Protection Act 2018. The principles of the EU GDPR have thus been incorporated into UK data protection law.

That being said, the EU GDPR may still apply directly to UK companies operating in Europe, offering goods or services to individuals in Europe, and/or monitoring the behaviour of individuals in Europe.

The Agreement also provides for the fast and effective exchange of national DNA, fingerprint and vehicle registration data between the UK and individual EU Member States to assist law enforcement agencies in investigating crime and terrorism. Known as “Prüm data”, this has never before been exchanged between the EU and a non-Schengen third country.

The Agreement also includes a novel provision on open government data.

Your contact for more details: Astrid Wagner (astrid.wagner@arendt.com) and Faustine Cachera(faustine.cachera@arendt.com)
(19/01/21)

On 1 January 2021, the UK became a "third country" no longer bound by the GDPR. The European Commission is currently assessing whether the UK could be granted an adequacy decision that would cover personal data transfers from the European Economic Area (EEA) to the UK. In the meantime, such transfers constitute international data transfers and are, in principle, restricted.

However, the Agreement provides for a six-month interim adequacy grace period (Part 7, Chapter 10, page 407: “four months after the specified period begins, which period shall be extended by two further months, unless one of the Parties objects”) during which transmission of personal data from the EU to the UK will not be treated as a transfer to a third country.

This grace period could end earlier, if the European Commission adopts an adequacy decision before it expires.

For the time being, therefore, UK businesses and public bodies across all sectors may continue to receive data from the EEA freely.

During the grace period, the UK cannot amend the applicable data protection regime, approve a new draft code of conduct, approve new certification mechanisms, approve new binding corporate rules, authorise new contractual clauses, or authorise new administrative arrangements without the agreement of the EU.

On 19 February 2021, the European Commission launched the process towards the adoption of two adequacy decisions for transfers of personal data to the UK (one under the GDPR and the other for the Law Enforcement Directive). After taking the opinion of the European Data Protection Board into account, the Commission will request the green light from Member States' representatives.²

Your contact for more details: Astrid Wagner (astrid.wagner@arendt.com) and Faustine Cachera(faustine.cachera@arendt.com)
(24/02/21)

1. Court of Justice of the European Union, Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.
2. Data protection: European Commission launches process on personal data flows to UK

Data controllers and processors not established in the EU but subject to the GDPR (Article 3(2)) are under an obligation to designate a representative in the Union.

If an entity (i) is located outside of the UK with no offices, branches or other establishments in the UK but (ii) is offering goods or services to individuals in the UK or monitoring the behaviour of individuals within the UK, it may need to appoint a UK representative.

If an entity (i) is located in the UK with no offices, branches or other establishments in the EEA but (ii) is offering goods or services to individuals in the EEA or monitoring the behaviour of individuals in the EEA, it may need to appoint a European representative.³

The appointment of a representative is not required for public authorities or for occasional processing which poses only a low risk to the data protection rights of individuals, and which does not involve the large-scale use of special category or criminal offence data.

The EDPB has issued guidelines on the territorial scope of the GDPR⁴ that contain useful information on the need (or lack thereof) to designate a representative.

Your contact for more details: Astrid Wagner (astrid.wagner@arendt.com) and Faustine Cachera(faustine.cachera@arendt.com)
(19/01/21)

3. Please refer to the ICO guidelines
4. Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).

The EU GDPR has introduced cooperation and consistency procedures (the One Stop Shop) allowing entities conducting cross-border data processing to appoint a single lead supervisory authority responsible for regulating all cross-border processing and enforcing the EU GDPR.

As of 1 January 2021, however, it is no longer possible to designate the UK data protection authority, the Information Commissioner’s Office (ICO), as a lead supervisory authority for the purposes of the One Stop Shop.

In practice, therefore, entities will sometimes have to notify both the ICO and their supervisory authority in relation to matters involving cross-border processing (e.g. in the event of a data breach).