On 28 June 2021, the EU Commission found that the UK provides adequate protection for personal data, enabling personal to freely flow from the EU (and EEA) to the UK.
European privacy law (specifically articles 44-50 of the General Data Protection Regulation (GDPR)) prohibits the export of personal data from the EU to a third country unless the data exporter can ensure that ‘the level of protection of natural persons‘ is the same after export as within the EU.
GDPR sets out alternative ways in which the legally required protection for exported personal data can be achieved:
- first, the EU could find that the third country’s laws provide adequate protection (article 45 GDPR) and personal data may be exported on that basis.
- second, personal data may be exported where appropriate safeguards are put in place with enforceable data subject rights and effective legal remedies for data subjects are available (article 46(1) GDPR). GDPR specifies what appropriate safeguards may be used:
- a legally binding and enforceable instrument between public authorities or bodies (art 46(2)(a))
- binding corporate rules (art 46(2)(b))
- use of standard data protection clauses adopted by the EU Commission (art 46(2)(c))
- use of standard data protection clauses adopted by national regulator and approved by the EU Commission – i.e. SCCs (art 46(2)(d))
- an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(e))
- an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (art 46(2)(f))
- subject to approval by a national regulator, contractual clauses and/or cross border administrative arrangements (art 46(3)
- Finally, there are limited derogations (art 49) which allow the export of personal data in the following circumstances. However, EDPB regulatory guidance makes it clear that these are ‘exceptional’ and should not be relied on for routine ‘business as usual’ data export.