In light of the last-minute deal between the EU and the UK (the “Agreement”) in relation to the latter leaving the EU, what is the current situation regarding the transfer of personal data between the EU and UK?
In the absence of an Agreement or an adequacy decision, additional safeguards, such as SCCs (standard contractual clauses) or BCRs (binding corporate rules) would have been required from 1 January 2021, in order to transfer personal data from the EU (EEA) to the UK, in accordance with GDPR.
However, the last-minute Agreement allows personal data flows to continue on an interim basis from the EU to the UK without any such additional safeguards. This is an important and welcome step, that avoids the need for organisations to make any last-minute rushed changes to ensure that they are compliant with EU data protection transfer laws.
The Agreement provides that, for a “Specified Period” of four months from 1 January 2021, a transmission of personal data from the EU to the UK shall not be considered as a transfer to a third country under EU law.
While four months is the default period, it will automatically be extended by a further two months, if required, unless either the UK or the EU unilaterally objects. The interim period will come to an end when it expires after four or six months or when an adequacy is granted; whichever is the earlier.
It is advisable for organisations to have plans in place to ensure the smooth flow of their data following the end of the “Specified Period”, regardless of the outcome of the ongoing negotiations between the parties.
See EU UK Trade and Cooperation Agreement Part Seven, Article FINPROV.10A for further information.
About the Author: Conor Robinson is a Consultant specialising in commercial law, specifically buying and selling businesses, commercial contracts and agency law, data protection and trademark and company law.