Free flow of Personal Data to UK Extended by 6 Month in Last-Minute Brexit Deal

Photos taken at the #PeoplesMarch for a #PeoplesVote in London on Saturday 20th October 2018.

Due to the end of the Brexit transition period on January 1 2021, the United Kingdom was dues to be designated as a ‘third country’ in relation to the the European Union’s General Data Protection Regulation (GDPR).

From a data protection perspective, this means, that data moving to or from the UK would have been,  in principle, subjected to additional measures to secure any transfer of personal data to recipients in the UK. This is due to the fact that the UK will no longer to take advantage from the high level of security of personal data ensured by the GDPR. Additionally, due to the Schrems II ruling of the EU Court of Justice in 2020 there was the requirement to carry out a data transfer risk assessment, This includes a review of the adequacy of the use of EU standard contractual clauses for international data transfers. The UK was due to be bound by these rules in relation to international data transfers.

However, the UK-EU trade deal has allowed the UK maintain a basic level of data protection in the aftermath of Brexit which paves the way for a continued free flow of personal data. Included in the deal are a number of obligations and limit to see to it that the ongoing equivalent protection and free flow of personal data between the EU and the UK. This means that the deal incorporates an interim provision for the transfer of personal data to the UK, stating that data transfers to the UK shall not be regarded as transfers to a ‘third country’ during a transitional period that shall finish after four months from the date of agreement, January 1 2021. There will also be an additional two further months added to did in the event that there are no objections from the UK or the EU.

There was also a provision made for the transitional period to come to and end sooner than this, if an official adequacy decision for the UK is implemented by the European Commission. However, it is not known if an adequacy decision shall be put in place within the transitional period of six months, This will allow companies to go on mapping their data flows, completing their risk assessment, and making ready the implementation of additional requirements should the need be identified.