- Four-month transition period (extendable to six months): Until then, data transfers to the UK are not considered third country transfers under EU law.
- In the absence of an adequacy decision, UK transfers are considered third countries; Switzerland remains materially permissible, but revDSG introduces formal list obligation.
The EU and the UK have reached a last-minute agreement on a treaty-based regulation of the United Kingdom’s exit from the EU agreed.
Part of the agreement is also compliance with high data protection standards – but not recognition of adequacy. Instead, the EU decides unilaterally whether the English data protection level is adequate according to the applicable regulations of the GDPR. However, the parties have agreed to a four-month transitional period, which will be extended to six months without objection from either party:
Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom
1. For the duration of the specified period, transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law, provided that the data protection legislation of the United Kingdom on 31 December 2020, as it is saved and incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018 and as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 201987 (“the applicable data protection regime”), applies and provided that the United Kingdom does not exercise the designated powers without the agreement of the Union within the Partnership Council.
2. subject to paragraphs 3 to 11, paragraph 1 shall also apply in respect of transfers of personal data from Iceland, the Principality of Liechtenstein and the Kingdom of Norway to the United Kingdom during the specified period made under Union law as applied in those states by the Agreement on the European Economic Area done at Porto on 2 May 1992, for so long as paragraph 1 applies to transfers of personal data from the Union to the United Kingdom, provided that those states notify both Parties in writing of their express acceptance to apply this provision.
3. in this Article, the “designated powers” means the powers:
[…]4. the “specified period” begins on the date of entry into force of this Agreement and, subject to paragraph 5, ends:
(a) on the date on which adequacy decisions in relation to the UK are adopted by the European Commission under Article 36(3) of Directive (EU) 2016/680 and under Article 45(3) of Regulation (EU) 2016/679, or
(b) on the date four months after the specified period begins, which period shall be extended by two further months unless one of the Parties objects;
whichever is earlier.5. […].
If the EU does not adopt an adequacy decision before the end of six months, the UK will become a third country without an adequacy decision, the same as, for example, India, China or the USA. Data flows from the EEA to recipients in the UK would thus no longer be permittedunless appropriate safeguards have been agreed, such as the standard contractual clauses, and no exception to the prohibition on disclosure applies. This applies to intra-Group data flows as well as to data flows to external recipients. Further information on this can be found, for example, in the Notes issued by EDSA in the event of a no-deal Brexit on February 12, 2019..
For companies in Switzerland, the situation is different. Under Swiss law, it is not an adequacy decision that is decisive. There is no adequacy decision at all; what is decisive is the substantive question of whether the foreign law offers adequate protection, not a formal decision. The list of states of the FDPIC is therefore not binding. Materially, however, the adequacy of English data protection law is still to be assumed. This also corresponds to the Opinion of the FDPIC. Data flows from Switzerland are therefore basically still permitted as before.
The revDSG, on the other hand, introduces adequacy decisions into Swiss data protection law. Pursuant to Art. 16(1) revDSG, the Federal Council maintains a list of states whose level of protection is deemed adequate. If a particular state is missing from this list, disclosure to that state is restricted, even if its level of protection should be beyond doubt.
Also part of the Agreements are regulations on data traffic. Among other things, both sides want to refrain from requiring data to be stored or processed in a specific location (Chapter 2, Article DIGIT.6:
The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. To that end, cross-border data flows shall not be restricted between the Parties by a Party:
(a) requiring the use of computing facilities or network elements in the Party’s territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of a Party;
(b) requiring the localization of data in the Party’s territory for storage or processing;
(c) prohibiting the storage or processing in the territory of the other Party; or
(d) making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Parties’ territory or upon localisation requirements in the Parties’ territory.
Further provisions are intended to free flow of data, but also of digital services ensure, e.g. Art. Article DIGIT.9 No prior authorization;
A Party shall not require prior authorization of the provision of a service by electronic means solely on the ground that the service is provided online, and shall not adopt or maintain any other requirement having an equivalent effect.
A service is provided online when it is provided by electronic means and without the parties being simultaneously present.
2. paragraph 1 does not apply to telecommunications services, broadcasting services, gambling services, legal representation services or to the services of notaries or equivalent professions to the extent that they involve a direct and specific connection with the exercise of public authority.
Likewise Art. Article DIGIT.10: Conclusion of contracts by electronic means
(1) Each Party shall ensure that contracts may bwe concluded by electronic means and that its law neither creates obstacles for the use of electronic contracts nor results in contracts being deprived of legal effect and validity solely on the ground that the contract has been made by electronic means.
Also subject to the agreement are Consumer protection and anti-spam regulations. For example, the parties undertake to restrict electronic direct marketing communications along the lines of the e‑Privacy Directive (Article DIGIT.14 Unsolicited direct marketing communications). Ok