On Christmas Eve, not long before the 31 December 2020 Brexit negotiation deadline, the European Union and the United Kingdom finally reached consensus regarding the terms of their future relationship. This was in the form of a package of agreements, including the EU-UK Trade and Cooperation Agreement (the “TCA”). One of the many matters dealt with in the TCA is the transfer of personal data from countries within the European Economic Area (“EEA”) to the UK from 1 January 2021 onwards.
In the event of a “no-deal” Brexit, the UK was set to become a third country after 31 December 2020 for data protection purposes. This would have required organisations to put in place additional safeguards required under the General Data Protection Regulation (“GDPR”), such as standard contractual clauses, in order to continue transferring personal data to the UK. Under the TCA, however, the parties have effectively agreed a holding position, whereby transfers of personal data from countries within the EEA to the UK after 1 January 2021 will not be considered to be transfers of personal data to a third country for a limited period of time.
These arrangements outlined above will be in place for a period of four months from 1 January 2021 and can be extended by a further two months if the EU and UK agree.
The European Commission will now consider whether to make an adequacy decision in respect of the UK. An adequacy decision is one of the safeguards under the GDPR that allows for the transfer of personal data from the EEA to a specific country, whereby the European Commission has decided that the country in question provides a level of data protection to the standard required by EU law.
If the European Commission does not make an adequacy decision in respect of the UK by the end of the four-month (or, if extended, six-month) period provided for under the TCA, at that stage the UK will be considered to be a third country for data protection purposes. In those circumstances, organisations wishing to transfer or continue to transfer personal data to the UK would need to ensure that they do so in accordance with one of the safeguards under the GDPR. The safeguards are discussed in further detail in our previous article, which is available here.
We will provide further updates as the situation develops.
Related ArticlesBack to Full News
Share this article:
About the Authors
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
Ruth is a solicitor in the Commercial & Business team and advises on an array of commercial and regulatory matters, including in the areas of privacy and data protection, intellectual property, terms and conditions of purchase and sale, advertising and promotions and commercial contracts.