Data flows from the EU/EEA to the UK
The UK-EU Trade and Cooperation Agreement, announced on 24 December 2020, extends the free flow of personal data between the EU/EEA and the United Kingdom for up to six months. This agreement has been provisionally applicable since 1 January 2021, subject to parliamentary approval. It means that personal data can continue to flow freely from the EU and the EEA to the UK without additional measures.
The UK and EU have agreed to a transition period for an initial four months, until 30 April 2021. However, this period will be extended automatically to six months unless either the EU or the UK objects, meaning that the data transition period would end on 30 June 2021. Therefore, despite the UK now being considered a ‘third country’ under the EU GDPR, UK businesses can continue to receive personal data from the EU/EEA during this period. During this time, the European Commission will determine whether or not the UK provides an adequate level of protection for personal data to qualify for an EU adequacy decision. Data adequacy is a status granted by the European Commission to countries outside of the EU/EEA that demonstrate a level of personal data protection comparable to that provided in European law.
The free flow of data between the EU/EEA to the UK during this period is, however, conditional on the UK not amending the data protection laws which it had in place as at 31 December 2020 and not exercising certain designated powers without the agreement of the EU.
If an adequacy decision is made in respect of the UK, EU and EEA member states will be able to continue to transfer personal data after the transition period without the need for any additional procedures. The UK is hopeful that this will be the outcome considering that the Data Protection Act 2018 incorporates the General Data Protection Regulation and includes limited derogations.
If an adequacy decision is not made in favour of the UK, organisations in the EU and EEA member states will need to rely on alternative data transfer mechanisms such as Standard Contractual Clauses (SSCs) to transfer personal data to the UK.
Data flows from the UK to the EU/EEA
For personal data going in the opposite direction (i.e. from the UK to the EU/EEA), the UK Government had already deemed that the EU/EEA member states provide an adequate level of protection for personal data. This means that no additional safeguards are needed for such transfers.