Under the UK-EU trade and co-operation agreement (TCA) agreed on the 24 December 2020, the Brexit transition period has – at least for EU-UK personal data transfers – been extended on an interim basis so, in respect of data transfers, there are no major changes for the moment.
This interim extension is ostensibly to enable the EU to make an adequacy assessment in respect of the UK’s data protection laws, which – if positive – would allow the continued free flow of personal data between the EU and UK without any new significant regulatory obstacles.
The TCA effectively grants an interim GDPR ‘adequacy’ finding to the UK for 4 months (which can be extended to 6 months) from 1 January 2021 (i.e. for this period, EU/EEA to UK personal data transfers during this period are not considered a transfer to a ‘third country’ under the GDPR). Accordingly, there is no need to scramble to put in place the EU-approved standard contract clauses (SCCs) or other measures for EU-UK transfers although organisations should closely watch further developments over the next 3-5 months.
During this interim period, the UK Government is not permitted to amend the UK GDPR or other data protection law, although this seems unlikely anyway. If the EU Commission makes a decision on the UK’s data protection adequacy status (or not), the interim period will automatically terminate.
Transfers of personal data from the UK to the US and other non-EU approved third countries will continue to be subject to the same GDPR rules as before Brexit. This means for data exports from the UK to a country which is not on the EU’s ‘adequacy’ list, the transfer should either be subject to an exemption under the GDPR (e.g. the transfer is necessary for performance of a contract with the data subject; carried out with their explicit consent or is necessary in connection with a legal claim) or the SCCs or another mechanism recognised as providing ‘appropriate’ GDPR safeguards should be in place. The UK ICO has also published its own new set of SCCs for UK to third country transfers that refer to the UK GDPR.
Transfers of personal data from the UK to the EU are deemed legally adequate under UK law so, provided they are compliant with UK GDPR, such data transfers into the EU should not require any additional measures. The UK Government will however keep the status of such transfers under review.