The many businesses that have made contingency plans for their Data transfers to and from the United Kingdom may now start the new year taking a deep and relieved breath!
The Norwegian Government on the last working day of last year (30.12.2020) issued a temporary secondary law which is very short and which simply states that transfer of personal information to the UK shall not be regarded as transfer to a “third country” in regard of the Personal Data Act (which includes the GDPR). The Secondary law enters into force on 1st January 2021.
The legal basis for this secondary law, is section 13 of the Personal Data Act, which simply states that “the King” (meaning the King in Council) may pass secondary laws regarding the transfer of personal information to third countries or international organisations.
The consequence is that Norwegian and UK businesses may continue their data transfers as before (all within the requirements of the Personal Data Act and the GDPR).
The background for this arrangement is the Trade and Cooperation Agreement between the EU and the UK regarding the UK’s withdrawal from the EU. The Agreement contains a preliminary provision regarding the transfer of personal information to the UK. According to this provision, the UK shall not be regarded as a “third country” as long as they “freeze”existing relevant legislation, and do not pass new legislation/agreements which are conflicting with the data protection legislation of the EU. It is an interim solution, and it will expire at the latest six months after the Trade and Cooperation Agreement has been formally approved by the EU and the UK respectively.
In parallel, the EU Commission is assessing the possibility of issuing an “Adequacy Decision” in accordance with GDPR Article 45. If an Adequacy decision is passed, the data transfer to and from the UK may continue the same way as it does within the EEA today, on a perpetual basis, unless at a later stage the adequacy decision is withdrawn by the EU.
This secondary law is a very positive piece of news for all businesses in the EEA, which are engaged in doing business in the UK. It is in particular important for Norwegian businesses, since the UK (according to the Norwegian National Bureau of Statistics) is the largest export market for Norwegian businesses (including Oil and gas). The Secondary law was necessary for Norway, since Norway is an EEA country which is not a member of the EU.
It was clarified with the EU through a letter in which Norway joined in relevant provisions of the Trade and Cooperation Agreement, with the effect that Norwegian businesses will be able to compete on equal terms with European businesses in the UK market.
Let us hope that this is the first in a row of positive news for upholding the spirit of the GDPR, while facilitating free trade and the free movement of personal data on a global basis. Hopefully the next big step will be to find a practicable solution to data transfers to the US and to the use of US owned data centers in Europe! Following the Schrems II decision by the ECJU, the current situation is a nightmare for all companies using facilities in the US or European facilities owned or controlled by US entities.
I wish you all a Happy New Year and a positive development in the Data transfer regime under the GDPR!