GDPR: What is the situation following the Brexit Deal?
Marking the completion of Brexit, the 31st of December 2020 saw the end of the 11-month transition period wherein the UK was still bound by the EU’s rules and therefore the GDPR and EU privacy laws continued to apply in the UK. This meant that transmissions of data from the EEA to the UK were not restricted. But what is the position now?
To the relief of many enterprises, the EU-UK Trade & Co-operation Agreement, better known as the Brexit Deal brought about some breathing space by extending the transition period; during which transmissions of personal data from the EEA to the UK will continue to be treated as processing of data within the EU. If an extension had not been agreed between both parties, data transfers from the EEA to the UK would have been considered as third country transfers as of 1January 2021. For those enterprises which had not fully prepared themselves for a ‘No-deal Brexit’, this would have meant non-compliance with the GDPR and local privacy laws with respect to personal data transfers to the UK.
In terms of this Agreement, the transition period has been extended for a period of 4 months with a possibility of a further two-month extension, ending on 30 June 2021. During this period the UK has agreed to maintain its data protection regime closely aligned with the GDPR and not to make any changes thereto, without the EU’s prior consent.
So did the Brexit Deal just bring an agreed relief of 4 months or so? Essentially yes, since an adequacy decision was not part of the Deal. However, in a way it also provides us with some optimism in terms of an adequacy decision being adopted by the end of this extended transition period.
The adoption of an adequacy decision is much longed for, particularly after the Schrems-II decision by the CJEU. Data adequacy is a status granted by the European Commission to countries outside the EEA which provide a level of personal data protection comparable to that provided in EU law. In fact, by means of an adequacy decision, personal data would continue to pass freely between the EEA and the UK without further appropriate safeguards, such as standard contractual clauses, required. The EU Commission has so far adopted adequacy decisions in favour of 12 countries; Japan and New Zealand among others.
If an adequacy decision is not adopted in favour of the UK by the end of this extended period, enterprises within the EEA would need to implement appropriate safeguards in terms of the GDPR so as to legitimise transfers of personal data to the UK.
The Trade and Cooperation Agreement is provisionally applicable since 1 January 2021, as it is still pending ratification.
Published also in Times of Malta: