On 24 December 2020, the EU and UK reached a consensus on the Trade and Cooperation Agreement (the Agreement). The agreement allows personal data to continue to flow freely from the EU/EEA to the UK for up to 6 months after 1 January 2021, or until an adequacy decision is adopted (whichever is earlier). This provides the European Commission with some further time to make an adequacy decision in relation to the UK.
Data flows from the EU/EEA to the UK
The GDPR prohibits transfers of personal data to a ‘third county’, unless that country benefits from an adequacy decision, or the transfer is subject to an appropriate safeguard or a derogation applies. For the purposes of the GDPR, the UK became a third country on the 31 December 2020. In the absence of an adequacy decision in relation to the UK, businesses have been busy putting in place appropriate safeguards (such as the standard contractual clauses (SCCs)) to ensure their transfers of personal data from the EU/EEA to the UK remain lawful.
However, Part 7 of the Agreement provides that transfers of personal data from the EU/EEA to the UK will not be considered transfers of personal data to a third country for the duration of the ‘specified period’. The specified period began on January 1, 2021, and ends on: (1) the date on which an adequacy decision in relation to the UK is adopted by the European Commission, or (2) the date four months after the specified period began, which shall be extended by two months unless either the EU or the UK objects, whichever is earlier. The free flow of data during the specified period is subject to the proviso that the UK does not amend the data protection legislation in place as of 31 December 2020, and does not exercise specified designated powers (including approving new SCCS or binding corporate rules), unless the EU agrees to same.
The Agreement means that personal data can continue to be transferred freely between the EU and UK for up to 6 months after January 1 2021.
Data flows from the UK to the EU/EEA
Transfers of personal data from the UK to the EU/EEA can continue without additional safeguards being put in place. This is provided for in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended.