On 24 December 2020, the EU and the UK reached an agreement over some essential Brexit modalities, including the exchange of personal data between the EU and the UK.
As of 1 January 2021, the UK qualifies as a ‘third country’ pursuant to the EU General Data Protection Regulation 2016/679 (GDPR). From a data protection perspective, this means, in principle, that additional measures must be implemented to secure any transfer of personal data to recipients in the UK, as the UK will no longer benefit from the high level of protection of personal data ensured by the GDPR. Also, the Schrems II ruling of the EU Court of Justice (more information here), and the requirement to perform a data transfer risk assessment (including an assessment of the adequacy of the use of EU standard contractual clauses for international data transfers), will in principle fully apply to the UK after Brexit.
The trade deal addresses this point by providing that the EU and the UK envisage to have the UK maintain an adequate level of data protection post-Brexit, which would allow for a continued free flow of personal data.
The deal includes several obligations and restrictions (e.g. Part 2, Heading 1, Title III, Chapter 2) to ensure the (continued) equivalent protection and free flow of personal data between the EU and the UK. More specifically, the deal includes an interim provision for the transfer of personal data to the UK, confirming that data transfers to the UK shall not be qualified as transfers to a ‘third country’ during a transitional period that shall end after four months (as of 1 January 2021), which period shall be extended by two further months unless the UK or the EU objects thereto. The transitional period can also expire earlier, if an official adequacy decision for the UK is adopted by the European Commission. Although it remains to be seen whether an adequacy decision shall be adopted within the transitional period of (maximum) 6 months, such period is a welcome interim solution as it allows companies to continue mapping their data flows, conducting their risk assessment, and preparing for the implementation of additional requirements should the need arise.