This article was published prior to the publication of the post-Brexit agreement between the UK and EU which covers the relationship between the UK and EU following the end of the implementation period (commonly referred to as the “transition period”) created by the European Union (Withdrawal Agreement) Act 2020, and should be read in that context. For up-to-date commentary and information on our services, please see our Beyond Brexit.
The key data protection takeaway from the recently concluded EU-UK Trade and Cooperation Agreement is that personal data can continue to flow from the EU to the UK after Brexit without additional safeguards, for a period of up to 6 months, until the UK receives an adequacy decision.
The bridging period will initially run for 4 months from 1 January 2021 but will automatically be extended by 2 months, so that it runs for a total of 6 months, unless the EU or UK objects to the extension.
In addition, the European Commission has formally declared an intention to commence the adequacy decision process for the UK and to work closely with the other bodies and institutions involved in the relevant decision-making procedure.
What are the implications of this?
Firstly, companies transferring personal data from the EU to the UK no longer need to ensure that alternative transfer mechanisms, such as the European Commission approved model clauses, are in place from the 1 January 2021.
Time spent implementing alternative transfer mechanisms prior the end of the Brexit transition period is not wasted though, as the ICO has confirmed that doing so is still a “sensible precaution”.
Although there is a clear intention to work towards granting the UK an adequacy decision before the end of the bridging period, this is by no means guaranteed and alternative transfer mechanisms may still be required for EU-to-UK data transfers later in 2021.