The Status of EU–UK Data Flows Following Brexit

McGuireWoods LLP

The end of the Brexit transition period on 31 December 2020 means the UK now has full autonomy over its data protection policies. As of the 1 January 2021 the UK is recognised as a ‘third country’ under EU General Data Protection Regulation (GDPR) rules. The EU-UK Trade and Cooperation Agreement, which is an agreement in principle between the EU and UK, does not yet include a provision for the vast flow of personal data being transferred between the two jurisdictions. The transfer of personal data will be subject to a separate adequacy decision from the EU due in early 2021. This separate adequacy decision will determine whether the EU will allow the ongoing free flow of data from EU/EEA countries to the UK. If an adequacy decision is not granted, then organizations who transfer personal data from the EU/EEA to the UK will have to take additional steps to ensure data being transferred is provided equivalent protections to those under the EEA. The UK has already determined that it considers all EEA/ EU states to be adequate which means that personal data flows from the UK to the EU/EEA will remain unaffected.

Until the EU completes its adequacy assessment, it has granted a grace period that will delay any EU restrictions on personal data transfers to the UK for the next four months. This bridging mechanism under the agreement can be extended up to 6 months (if no objections are made) but will cease once the EU adequacy decision is enforced. Whilst the bridging mechanism is in place, the UK is able to make changes to its personal data policies and exercise its international powers subject to mutual agreement from the EU. The EU cannot block any changes made by the UK but if the EU objects to them then the bridging period will end.

The EU-UK Trade and Cooperation Agreement also recognizes ‘legacy data’ as overseas personal data processed in the UK before the end of the transition period. Data processed before the 1 January 2021 will therefore remain subject to EU GDPR policies (the ‘frozen GDPR’) whereas data collected after the transition period will need to comply with UK GDPR and the Data Protection Act 2018.

The Information Commissioner’s Office (ICO) has recommended that organizations make arrangements before the end of April to safeguard against the possibility of an adequacy decision not being granted by the EU. These can include the adoption of binding corporate rules; standard contractual clauses; certification and codes of conduct and derogations, all of which are set out in the GDPR.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.