As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes.
By Gail Crawford, Fiona Maclean, and Amy Smyth
The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one of the more significant implications — the UK becoming a third country for the purposes of EU-to-UK personal data transfers — has been mitigated by a four to six-month grace period in the EU & UK Trade and Cooperation Agreement (the Trade Agreement).
The Trade Agreement’s grace period states that personal data may be transferred from the EU to the UK as if the UK has not become a third country on 1 January 2021 (Article FINPROV.10A). This provision means that the requirement for a data transfer mechanism to legalise such transfers under the European General Data Protection Regulation (GDPR) will not be triggered on 1 January 2021, and these transfers may continue as during the Brexit transition period.
The initial grace period is four months from 1 January 2021, which will be extended by two further months unless either the EU or UK objects. The grace period is intended to allow more time for the European Commission (the Commission) to consider whether to grant the UK adequacy, which would continue to permit unrestricted EU-to-UK personal data transfers. If the Commission adopts a UK adequacy decision during the grace period, the grace period will no longer be necessary and will end. However, if the Commission does not adopt a UK adequacy decision during this period, then, absent further interim measures, the UK will be considered a third country for personal data transfers from the grace period’s end.
While the various other data protection implications of Brexit are not breaking news, the end-of-the-year deadline is a useful checkpoint for organisations to consider what action they need to take to ensure ongoing compliance with both the UK and European data protection regimes.
Read the key considerations set out in Latham’s Brexit Data Protection Checklist:
For further background, Latham has published a series of blog posts on various data protection aspects of Brexit.
Submit a comment about this post to the editor.