Personal Data & Europe

The confirmation of the UK’s withdrawal from the EU at the end of 2020 has implications for businesses who process personal data from the EU and when data is transferred from the UK to Europe or processed in Europe.

Before Brexit, as the UK was part of the EU, it was permissible to freely transfer personal data between the UK and the EU countries. This has now changed and is dependent upon what is known as an adequacy decision for this to continue to apply.

As a result of Brexit, the UK has confirmed that personal data may be sent to or processed / held by processors in Europe from the UK and that an adequacy decision is in place for that purpose. However, this is not the definitive position as yet in respect of data being sent for processing from the EU to the UK. A form of moratorium was introduced by the EU to enable the pre-existing arrangement to remain in
place for a number of months whilst the EU determined whether to grant an adequacy decision in respect of transfers of personal data from the EU to the UK.

On 19th February 2021, the EU announced that a draft adequacy decision in respect of the UK had been made, although this is now to go through a process for approval in the European Community. It will be a surprise if this is not approved by the EU in the near future.

However, the issues remain that even if an adequacy decision is made, it could be affected or removed at any time dependent upon how data protection laws develop in the future. As the EU and UK courts can now make different decisions in respect of data protection laws this could affect the adequacy decision. An example is the fact that the European Court of Justice only recently reached a verdict which affected data transfers from the EU to the USA. The EU Commission itself could potentially also make a different decision at any time.

Similarly, the UK may determine at some stage that transfers of data from the UK to the EU are at risk and remove the adequacy decision.

It is therefore important that if your business is obtaining personal data from the EU for processing (whether as a controller or a processor) for whatever purpose, or vice versa, that your business considers whether to continue to rely upon the current moratorium and the anticipated adequacy decision or considers future-proofing now in case this should ever change in the future. Appropriate measures can
be put in place to ensure that whatever happens in the future you can continue to process data from Europe and / or to transfer or store data in the EU.

Chadwick Lawrence’s regulatory department can help and advise your business in respect of any data protection issues including whether to consider putting these additional measures in place. For more information please contact nicholasworsnop@chadlaw.co.uk or harveyblake@chadlaw.co.uk