Global menu

Our global pages


Speed read: The ‘transfers from EU back in to the UK’ conundrum…

  • United Kingdom
  • Brexit
  • Privacy, data protection and cybersecurity


The issue? Processors in the EU are required under Art 44 GDPR to ensure lawful mechanisms apply to any transfers they make from the EU to ‘third countries’. After Brexit the UK will be a ‘third country’ unless and until there is a formal adequacy decision from the EU Commission. That is not expected to happen anytime soon (certainly not in the next 12 months). The UK has told the EU authorities that transfers from UK to the EU won’t be problematic. The EU has not done this in return. There is risk an EU processor might ‘refuse’ to make transfers of personal data back to the UK controller after Brexit.

Will this harm data subjects or their personal data? It ought not to, provided the controller complies in all respects with GDPR. Keep in mind that: (i) after Brexit the UK will have a law aligned to the GDPR standard of protection which applies to the UK controller (eg the bank, firm, company, employer, partnership); (ii) the data subjects (eg clients, customers, employees) already have statutory rights against their controller, and the well-known statutory right to compensation; (iii) the controller ought to be as ‘safe’ for personal data as is its processor (after all, it appointed the processor and checked its security measures were appropriate to the risk of processing); and (iv) the GDPR Article 28 terms should already be in place to connect the controller and its processor by written contract.

So why the fuss? Strictly speaking (and here is the highly technical bit) this is a transfer to a third country. Derogations such as individual adequacy assessments will not assist unless eg the UK controller is asking its processor to make a one off transfer (rare). At this time, ‘processor to controller’ Standard Contractual Clauses (SCCs) do not exist so the UK controller cannot simply offer these up to its EU based processor and plug the gap that way.

Are EU supervisory authorities interested in this? The EDPB (European Data Protection Board) has not issued any formal guidance on this particular issue, nor has the ICO. Supervisory authorities in EU countries are (as yet) tending to be silent. The Polish privacy regulator (OPPDP), for example, has not issued formal guidance on it.

Are UK regulators, other than supervisory authorities, interested? It seems so. We are now seeing other regulatory authorities here in the UK pushing this agenda. For instance, banks and other firms are being asked what will they do about this and how this fits in with their post-Brexit plans.

What might UK controllers consider doing if their EU processors, or other regulators, insist on ‘finding’ a solution? It is difficult to plug this gap in the absence of any solution being offered up or opined upon by privacy regulators/the EDPB. Here are some possibilities (though they do not solve the issue). First, you could offer up ‘controller to processor’ SCCs which you sign as ‘data exporter’ with your EU processor as ‘data importer’. They do not add much in this very particular circumstance, we suggest, since Article 28 terms go over and above the protections in the SCCs (which pre-date GDPR). Moreover, the third party rights provisions which afford certain protections to data subjects were designed to apply to protect those subjects before GDPR came in; GDPR has improved the position of data subjects. Secondly, you could ask the processor whether its local privacy regulator would be concerned about these transfers. If so, can the processor explain why? Thirdly, try to tease out whether your EU processor is making other EU to UK transfers (post Brexit) such as to its own local branches or other companies in its group. If it is, why the UK is ‘safe’ for those intra-group transfers, and not for transfers of your data back to you.