What impact does Brexit have on your data transfers to the UK?

Legal Eubdate
3 February 2021

As a result of Brexit, the UK is a third country in relation to the GDPR, as of 1 January 2021.

The EU-UK Trade and Cooperation Agreement ("the agreement") includes a bridging mechanism on further exchange of personal data between the EU and the UK. This mechanism lasts for a transition period of four months initially (until 30 April 2021) with the possibility of extending it for another two months (until 30 June 2021).

During the transition period, the transfer of personal data between the EU and the UK will not be considered as a transfer to and from a third country, provided that the UK adheres to the conditions listed in the agreement and no adequacy decision is adopted during the transition period.

After the transition period, the free flow of data to the UK will no longer be possible without (i) an adequacy decision from the European Commission, or (ii) the implementation of a data transfer tool as listed in Chapter V of the GDPR.

Adequacy decision: The competent EU committee confirmed on 14 January 2021 that the EU is finalising its assessment of the UK data protection regime and it will start the decision-making process in the coming weeks. The next step would be to obtain the opinion of the European Data Protection Board (EDPB).

It remains to be seen whether an adequacy decision will be adopted in the end. The UK government and the ICO therefore recommend that businesses put in place alternative transfer mechanisms in any case, in order to safeguard against any interruption to the free flow of personal data between the EU and the UK.

Standard Contractual Clauses and binding corporate rules: If no adequacy decision is adopted by the European Commission by the end of the transition period, personal data can only be transferred on the basis of the appropriate safeguards and derogations listed in Articles 46 or 49 GDPR, e.g. by concluding standard contractual clauses or adopting (new or adapted) binding corporate rules. Since the Court of Justice's Schrems II judgment, data controllers (data exporters) need to comply with additional requirements when transferring personal data to a recipient located in a third country (data importer). For more information, please see our earlier analysis.