Home / Publications / Brexit: implications for data protection

Brexit: implications for data protection

January 2021

Miguel Recio

On the 24th of December 2020, the European Union (EU) and the United Kingdom reached a last-minute deal on Brexit. Interestingly, the UK-EU Trade and Cooperation Agreement is the first time the EU has agreed provision on data in a free trade agreement. 

With regards to digital trade provisions, the Agreement stipulates for free movement of data and prohibits requirements to store or process data in a certain location whilst nevertheless also confirming strong data protection commitments by both the UK and the EU, protecting consumers and helping to promote trust in the digital economy. In this respect, the Agreement, is based on the common objective of tackling unjustified barriers to e-commerce and ensuring an open, secure, and reliable online environment for businesses and consumers.

With regards to the free flow of personal data from the EU/EEA (European Economic Area) to the UK, one of the final provisions in the Agreement states that this can continue from the EU/EEA until adequacy decisions have been adopted, which should happen within six months.  It goes without saying that the UK has, on a transitional basis and in a reciprocal manner, deemed the EEA to be adequate to allow for data flows from the UK without the need to meet additional requirements. 

Notwithstanding the above, the Information Commissioner’s Office (ICO) issued a statement on the 28th of December 2020 recommending that businesses put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.

In practice, this will mean that if UK adequacy is not recognized within the indicated time frame, those who transfer personal data from the EU/ EEA to the UK will need to turn to other adequate guarantees such as standard contractual clauses or binding corporate rules. Furthermore, public bodies can use a legally binding and enforceable document, or if police authorities or judicial bodies working on criminal matters are involved, the judicial document may still be enforceable in the absence of a decision on adequacy.
Either way, it is recommendable to have a strategy in place to avoid any disruption to the flow of data. From now on it is important to consider the inherent risks in international data transfers outside of the EU/ EEA, even though for the first six months the United Kingdom will still not be considered a third country. 

The ICO recommends that SMOs use standard contractual clauses. In this regard, the ICO has published two templates of standard contractual clauses: the controller to controller template and the controller to processor template. These are available alongside the templates for standard contractual clauses provided by the European Commission.

In the case of other companies, if they have already adopted binding corporate rules, Brexit may mean that these need to be checked to see if it is necessary to make any changes and notify these to the relevant data protection agency. 

There are three practical recommendations to follow when faced with this new panorama:

  1. Study the risks concerning the transfer of data to the United Kingdom, since although it is not considered a third country, the data has nevertheless exited the EEA.
  2. Adopt specific measures that provide adequate guarantees for the safe transfer of data, such as standard contractual clauses, that will safeguard against interruption if the UK’s adequacy is not agreed upon or if, at a later date, the adequacy decision is suspended or declared invalid, and
  3. Check from time to time that the adopted measures meet with the necessary requirements in a way that covers data transfer requirements. 

This means that the data controller or, if the case may be, the data processor, must meet data protection regulations and can prove this, which, in practice, means being proactively responsible. 

Finally, an important point concerning the territorial scope of the Agreement to bear in mind is that, according to information outlined by the ICO, the United Kingdom includes England, Wales, Scotland and Northern Ireland, and does not apply to the UK’s Overseas Territories nor to the Crown Dependencies such as Gibraltar. 

This article does not represent legal advice by its author(s). If you would like to regularly receive our Referencias Jurídicas CMS, which provide an insight into current legal and case law topics of interest, please fill in the form found here.


Portrait of Miguel Recio
Miguel Recio