EEA-UK Data Transfers and the Brexit Agreement - What Law Firms Need to Know
The recent agreement between the EU and UK grants an extension to resolve the issue of EEA to UK personal data transfers (giving unprepared firms a second chance)
Leading up to the end of the Brexit transition period on 31 December 2020, there was some uncertainty regarding personal data transfers from the European Economic Area to the United Kingdom.
Unless the UK received an adequacy decision from the European Commission by the end of the transition period, it was looking like firms would need to implement appropriate safeguards such as standard contractual clauses (SCCs) and binding corporate rules (BCRs) in order to receive personal data from the EEA as of the New Year.
The EC did not issue an adequacy decision by the end of the transition period, but as part of their Trade & Cooperation Agreement, the EU and UK agreed to extend the period during which personal data could be transferred from the EEA to the UK with any additional safeguard until 1 May 2021. If there is still no adequacy decision by then, the extension is automatically prolonged by another two months unless either party objects.
What does this mean for law firms?
This is obviously good news for those firms that were struggling to fully implement appropriate safeguards by the end of 2020. However, given that there is no guarantee of an adequacy decision in four or six months, such safeguards may end up being necessary in the future.
So, firms that receive personal data from the EEA but have yet to fully implement appropriate safeguards should take this opportunity to do so by, for example, agreeing to SCCs with their EEA clients or getting regulatory approval for and implementing BCRs. Adopting such safeguards now is a prudent measure given the uncertainties that continue to plague data protection due to Brexit even after the transition period.
In addition, firms that need an EU representative because they do not have an office in the EEA but offer their services to and/or monitored the behaviour of individuals in the EEA should have appointed one by now. The 1 January 2021 deadline to appoint a representative was not affected by the extension, so any firms still needing to comply with this requirement must do so as soon as possible. The representative can be an individual or entity established in the EEA and should be appointed in writing to act on the firm’s behalf regarding GDPR compliance, including dealing with regulators and data subjects.
