Marking the completion of Brexit, December 31, 2020, saw the end of the 11-month transition period wherein the UK was still bound by the EU’s rules and, therefore, the GDPR and EU privacy laws continued to apply in the UK. This meant that transmissions of data from the European Economic Area to the UK were not restricted. But what is the position now?

To the relief of many enterprises, the EU-UK Trade and Cooperation Agreement, better known as the Brexit deal, brought about some breathing space by extending the transition period; during this transition, transmissions of personal data from the EEA to the UK will continue to be treated as processing of data within the EU.

If an extension had not been agreed between both parties, data transfers from the EEA to the UK would have been considered as third country transfers as of January 1, 2021. For those enterprises that had not fully prepared themselves for a ‘no-deal Brexit’, this would have meant non-compliance with the GDPR and local privacy laws with respect to personal data transfers to the UK.

An adequacy decision was not part of the deal

In terms of this agreement, the transition period has been extended for a period of four months with a possibility of a further two-month extension, ending on June 30. During this period the UK has agreed to maintain its data protection regime closely aligned with the GDPR and not to make any changes thereto, without the EU’s prior consent.

So did the Brexit deal just bring an agreed relief of four months or so? Essentially yes, since an adequacy decision was not part of the deal. However, in a way it also provides us with some optimism in terms of an adequacy decision being adopted by the end of this extended transition period. The adoption of an adequacy decision is much longed for, particularly after the Schrems-II decision by the CJEU.

Data adequacy is a status granted by the European Commission to countries outside the EEA which provide a level of personal data protection comparable to that provided in EU law. In fact, by means of an adequacy decision, personal data would continue to pass freely between the EEA and the UK without further appropriate safeguards, such as standard contractual clauses, required.

The EU Commission has so far adopted adequacy decisions in favour of 12 countries; Japan and New Zealand, among others.

If an adequacy decision is not adopted in favour of the UK by the end of this extended period, enterprises within the EEA would need to implement appropriate safeguards in terms of the GDPR so as to legitimise transfers of personal data to the UK.

The Trade and Cooperation Agreement is provisionally applicable since January 1, 2021, as it is still pending ratification.

Celia Mifsud, lead senior associate at DF Advocates

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.