Last-minute Brexit deal extends free flow of personal data to UK with 6 months
On 24 December 2020, the EU and the UK reached an agreement over some essential Brexit modalities, including the exchange of personal data between the EU and the UK.
As of 1 January 2021, the UK qualifies as a ‘third country’ pursuant to the EU General Data Protection Regulation 2016/679 (GDPR). From a data protection perspective, this means, in principle, that additional measures must be implemented to secure any transfer of personal data to recipients in the UK, as the UK will no longer benefit from the high level of protection of personal data ensured by the GDPR. Also, the Schrems II ruling of the EU Court of Justice (more information here), and the requirement to perform a data transfer risk assessment (including an assessment of the adequacy of the use of EU standard contractual clauses for international data transfers), will in principle fully apply to the UK after Brexit.
The trade deal addresses this point by providing that the EU and the UK envisage to have the UK maintain an adequate level of data protection post-Brexit, which would allow for a continued free flow of personal data.
The deal includes several obligations and restrictions (e.g. Part 2, Heading 1, Title III, Chapter 2) to ensure the (continued) equivalent protection and free flow of personal data between the EU and the UK. More specifically, the deal includes an interim provision for the transfer of personal data to the UK, confirming that data transfers to the UK shall not be qualified as transfers to a ‘third country’ during a transitional period that shall end after four months (as of 1 January 2021), which period shall be extended by two further months unless the UK or the EU objects thereto. The transitional period can also expire earlier, if an official adequacy decision for the UK is adopted by the European Commission. Although it remains to be seen whether an adequacy decision shall be adopted within the transitional period of (maximum) 6 months, such period is a welcome interim solution as it allows companies to continue mapping their data flows, conducting their risk assessment, and preparing for the implementation of additional requirements should the need arise.
Stéphanie De SmedtCounsel Attorney at Law
Stéphanie De Smedt, attorney-at-law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: firstname.lastname@example.org
Nina OrlićAssociate Attorney at law
Nina Orlić, attorney at law, is a member of the Competition & Regulatory practice group. She specialises in data protection and privacy law, telecommunications law, regulated markets and (international) contract law and has experience in employment law.T: +31 20 578 53 44 M: +31 653 38 97 74 E: email@example.com
Emilia FronczakSenior Associate Attorney at law / Avocat à la Cour
Emilia Fronczak, senior associate, is a member of the Litigation & Risk Management Practice Group in our Luxembourg office. She focuses on dispute resolution and advises mainly on data protection, IP, employment and EU law.T: +352 466 230 308 E: firstname.lastname@example.org