Following years of speculations on the restrictions that may apply to the transfer of personal data between the UK and EU post-Brexit, on 24 December 2020, the UK and EU entered into the Trade and Co-operation Agreement (Agreement).

The Agreement

  • The UK will allow UK personal data to be transferred to the European Economic Area (EEA) freely on the basis that the General Data Protection Regulation (GDPR) provides adequate protection.
  • The European Data Protection Board and European Commission will take four to six months (from 1 January 2021) to consider whether the UK’s Data Protection Act 2018 (DPA 2018) provides adequate protection to EEA personal data. In the meantime, there is a ‘grace period’ or ‘bridge’ for those transferring personal data from the EEA to the UK or those within the UK receiving personal data from the EEA.

Next steps

The implications for your business

  • The GDPR no longer applies to the UK; however, the DPA 2018 incorporates the GDPR and so, in reality, there is little change to your obligations.
  • The GDPR may still apply to you directly if you operate in Europe, offer goods or services or individuals in Europe or monitor the behaviour of individuals in Europe.
  • If your organisation receives personal data from the EEA, the UK Information Commissioner Officer has recommended that you put in place ‘alternative safeguards’ by the end of April 2021 to ensure that data transfers can continue uninterrupted in the event that the EU does not grant the UK an adequacy decision. The most commonly used alternative safeguard is the Standard Contractual Clauses (SCC).
  • The European Commission released new SCC in November 2020 covering the transfer of data between controller and controller, processor and processor, controller and processor and, finally, processor and controller. Those SCC have yet to be formally adopted and, therefore, are subject to change. It is recommended that you carry out a review of all data transfers involved in your organisation, consider the adequacy of the protections currently in place and review what changes can and should be made in light of the guidance currently available. A tricky decision for many organisations receiving personal data from the EEA will be whether to implement the SCC now in the knowledge that: a) the SCC may be unnecessary in the event an adequacy decision is granted; and b) the SCC may be amended by the European Commission, which will then necessitate further changes to paperwork within a year of adoption or await further developments with the associated risks on data protection.