Many in the world have been watching the Brexit deal closely, including privacy lawyers and others who deal with global data transfers. Under the recently-announced deal, a temporary solution will allow companies to continue to transfer data between the UK and European Economic Area (EEA) as normal during a short post-Brexit transition period. As many know, transfers of personal data are restricted out of the EEA to third countries unless certain steps are taken or exceptions apply. One of those mechanisms being an EU determination that the country to which data is being transferred is “adequate.” With the current transition period set to expire December 31, 2020, and no adequacy decision for the UK issued yet from the Commission, companies have been worrying about how to receive data from the EEA into the UK given its impending status as a “third country.”
The Trade and Cooperation Agreement announced in these last days of December 2020 calls for data flows to continue unchanged to the UK for four months, extendable to six months. This agreement means that even though the UK is leaving the EU without an adequacy decision, the need for parties who are engaging in such transfers to take extra steps, including use of appropriate safeguards (as we have written about this year) or reliance on transfer derogations for the data transfers will not be triggered. This temporary period (lasting up to six months) will apply so long as the UK does not modify its existing data protection law and does not exercise certain provisions provided for in that law without EU agreement.
Putting it Into Practice. While this transition period offers a reprieve for companies while we await the EU Commission’s decision on adequacy, companies are reminded of the other obligations under GDPR that are also impacted by Brexit. This includes the possible need to appoint a representative in the EEA and to re-evaluate the impact to your lead supervisory authority.