On 24 December 2020 the European Union (EU) and United Kingdom (UK) announced that they had agreed to a trade and cooperation deal that would regulate dealings between the two parties after 31 December 2020 (the Deal). Although the Deal does not address every aspect of the ongoing relationship between the two sides, it did provide a temporary solution to the issue of the movement of personal data from the EU to the UK.

Background

The EU's General Data Protection Regulation (GDPR), which applies in all EU Member States, allows for the free movement of personal data around the EU. During its time as a Member State and during the transition period after its exit from the EU, the UK was included in that arrangement. However, after 31 December 2020, absent a decision by the European Commission that the UK's data protection regime was adequate, under GDPR, personal data could not move from the EU to the UK without additional safeguards (such as Standard Contractual Clauses) being put in place between the data exporter in the EU and the data importer in the UK.

What does the Deal do?

In relation to this issue of the free movement of personal data to the UK, the Deal effectively maintains the status quo until 30 April 2021, or perhaps as long as 30 June 2021 if it is extended. That means personal data can move freely to the UK as it did during the transition period. In the meantime, the European Commission continues to consider whether to grant an adequacy decision to the UK.

The arrangement with respect to the free flow of personal data between the EU and the UK under the Deal is also conditional on the UK not exercising certain powers that are contained within the Data Protection Act 2018 (the legislation by which the GDPR is incorporated into UK domestic law). Specifically, the UK is not permitted to declare its own decisions regarding the adequacy of other third countries, or to deviate from the GDPR-provided safeguards for the transfer of personal data to third countries.

What next?

The maintenance of the status quo is good news for business operating across the EU and the UK. It allows the continued flow of personal data that is critical to many operations. It also possibly signals that there is a willingness on both sides to work towards an adequacy decision for the UK, which would place this continued flow on a more permanent footing.

However, there may be obstacles ahead in that regard, in particular arising out of the comments made by the Court of Justice of the European Union in the Schrems II case around access to personal data by the security services in third countries. That case related to the security laws of the United States; the UK's security laws are similar in some respects, and these similarities may cause the European Commission some concerns in granting an adequacy decision to the UK. This will continue to be a developing situation; although businesses have received some good news in the form of this part of the Deal, there remains a need to watch for further developments.