Following its “Brexit” from the EU on January 31, 2020, the UK had until December 31, 2020 to bring its data privacy laws into compliance with the General Data Protection Regulation (“GDPR”). As of January 1, 2021, the UK is a “third country”( 1 ) under the GDPR. However, on December 24, 2020, the EU and UK entered into the EU-UK Trade and Cooperation Agreement. The Agreement concerns all personal data processing for data subjects located in the EU (EU personal data) in connection to the UK, regardless of whether the entity processing the data is located within the EU. The Agreement calls for an additional six-month transition period, enabling the EU to complete a full assessment of the strength of the UK’s data protection laws. During this six-month grace period, personal data may be exported from the EU to the UK without the need for additional compliance measures.

The EU Commission, the EU’s politically independent executive arm, must assess the UK’s data privacy strength during the six-month grade period. If the Commission fails to issue a data privacy adequacy decision before June 2021, UK entities will have to implement additional safeguards for processing EU personal data. Those safeguards may include using EU Standard Contractual Clauses (2), implementing Binding Corporate Rules(3), or relying on certain exemptions outlined in the GDPR. Both the UK and EU have expressed a desire to grant formal data protection adequacy status to the UK. Such status would allow an ongoing, free transfer of personal data from the EU to the UK without requiring exporting or importing organizations to take further action.

Businesses processing data between the EU and the UK should note that the Agreement provides only a short-term solution to GDPR compliance. Thus, interested businesses and governments should closely monitor the adequacy decision process. Whatever the outcome, businesses and governments in other designated third countries can look to the EU’s adequacy decision for the UK to guide their data privacy policies and legislation.

Written by: Radhika K. Raman & Baraa Kahf

(1) “Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law.” See https://gdpr-info.eu/issues/third-countries/.

(2) EU Standard Contractual Clauses provide a model of clauses for compliant data transfers between EU and non-EU member countries. See https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

(3) Binding Corporate Rules provide appropriate safeguards for third country data transfers. See https://gdpr-info.eu/art-47-gdpr/.