International transfers of personal data are common for employers, whether that may be accessing information about employees in other countries, working with international colleagues on HR projects or using software which is hosted outside of the UK.
Under GDPR, transfers of personal data from within the European Economic Area (“EEA”) to outside the EEA are only permissible where appropriate safeguards are put in place unless the country’s data privacy laws are determined to be “adequate” by the EU.
Following Brexit, the UK will be outside the EEA and so in the absence of an adequacy decision, transfers from the EU to the UK will need be subject to additional measures and employers would need to put additional documentation in place, such as Standard Contractual Clauses. An agreement was reached in December 2020 between the UK and the EU, allowing the UK a six month grace period for the free flow of data until the end of June 2021.
The European Data Protection Board (EDPB) has published its Opinion on the European Commission's draft adequacy decisions in relation to the UK. If granted (which is expected), the adequacy decision will make the continued flow of data between the EEA and the UK much easier and will avoid the need for businesses to put additional measures in place such as Standard Contractual Clauses.
However, any EU adequacy decision is likely to be time-limited to four years and subject to ongoing review, in case UK law develops in a direction that the EU later considers to be inconsistent with GDPR requirements.
In terms of next steps, the European Commission will seek approval on the UK adequacy decision from each EU member state and has indicated that it will make its final adequacy decision before the end of the grace period (i.e. before the end of June 2021). As we have noted above, we expect any adequacy decision to be valid for four years only, after which it will be reviewed.