On 24 December, in the nick of time, the UK and EU agreed the “Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part”. Catchy title.
For those processing personal data in the UK and EU, the Brexit Trade Deal is a (much-needed) Good News Story. The agreement contains specific provisions prohibiting data localisation requirements, regulating the transfer of Passenger Name Record data, and allowing data sharing for law enforcement purposes. The crucial section for most businesses, however, is Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom.
Under this Article, transfers of personal data from the EEA to the UK can continue – as the UK will not be treated as ‘third country’ for the purposes of GDPR – until the earlier of: (1) the EU Commission adopting an ‘adequacy decision’ in respect of the UK, which would allow data transfers to continue with no further safeguards required; or (2) 30 April 2021, extendable to 30 June 2021 unless either party objects. During this period, the UK has agreed not to make any changes to its own data transfer regime without the EU’s approval, including adopting new Standard Contractual Clauses or BCRs (except changes bringing UK law in line with EU law). The UK has already committed to allowing data transfers into the EU unimpeded.
It is, of course, possible that this simply buys us few more months, and the end of April/June sees yet another desperate scramble to put in place Standard Contractual Clauses for EU to UK transfers. The more optimistic of us, however, view this as a real intention to grant the UK adequacy status. We all need some positive thinking to kick-start 2021.