by Laura Fannin , Ruth Prendeville January-06-2021 in Commercial & Business, Data Protection, Brexit

On Christmas Eve, not long before the 31 December 2020 Brexit negotiation deadline, the European Union and the United Kingdom finally reached consensus regarding the terms of their future relationship.  This was in the form of a package of agreements, including the EU-UK Trade and Cooperation Agreement (the “TCA”).  One of the many matters dealt with in the TCA is the transfer of personal data from countries within the European Economic Area (“EEA”) to the UK from 1 January 2021 onwards.

In the event of a “no-deal” Brexit, the UK was set to become a third country after 31 December 2020 for data protection purposes.  This would have required organisations to put in place additional safeguards required under the General Data Protection Regulation (“GDPR”), such as standard contractual clauses, in order to continue transferring personal data to the UK.  Under the TCA, however, the parties have effectively agreed a holding position, whereby transfers of personal data from countries within the EEA to the UK after 1 January 2021 will not be considered to be transfers of personal data to a third country for a limited period of time.

These arrangements outlined above will be in place for a period of four months from 1 January 2021 and can be extended by a further two months if the EU and UK agree. 

The European Commission will now consider whether to make an adequacy decision in respect of the UK.  An adequacy decision  is one of the safeguards under the GDPR that allows for the transfer of personal data from the EEA to a specific country, whereby the European Commission has decided that the country in question provides a level of data protection to the standard required by EU law.

If the European Commission does not make an adequacy decision in respect of the UK by the end of the four-month (or, if extended, six-month) period provided for under the TCA, at that stage the UK will be considered to be a third country for data protection purposes.  In those circumstances, organisations wishing to transfer or continue to transfer personal data to the UK would need to ensure that they do so in accordance with one of the safeguards under the GDPR.  The safeguards are discussed in further detail in our previous article, which is available here.

We will provide further updates as the situation develops.

For further information, please contact Laura Fannin or Ruth Prendeville at Hayes solicitors.

Related Articles

Back to Full News