EU to UK personal data transfer post Brexit update

In light of the last-minute deal between the EU and the UK (the “Agreement”) in relation to the latter leaving the EU, what is the current situation regarding the transfer of personal data between the EU and UK?

In the absence of the Agreement or an adequacy decision, under normal circumstances additional safeguards, such as SCCs (standard contractual clauses) or BCRs (binding corporate rules) would have been required from 1 January 2021, in order to transfer personal data from the EU (EEA) to the UK, in accordance with GDPR. However, the Agreement allows personal data flows to continue on an interim basis from the EU to the UK without any such additional safeguards. This is an important and welcome step, that avoids the need for organisations to make any last-minute rush to ensure that they are compliant with EU data protection transfer laws.

The Agreement provides that, for an interim period of up to six months from 1 January 2021, a "transmission" of personal data from the EU to the UK shall not be considered as transfer to a third country under EU law. 

 While four months is the default period, it will automatically be extended by a further two months, if required, unless either the UK or the EU unilaterally objects. The interim period will come to an end when it expires after four or six months or when an adequacy is granted; whichever is the earlier. 

While most observers agree that an adequacy decision may take longer than the 6-month interim period, we would therefore advice that organisations have in place, plans to ensure the smooth flow of their data, regardless of the outcome of the ongoing negotiations between the parties.

Contact the team at MDDM today.