• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK

January 6, 2021 By Paul Greaves and Wim Nauwelaerts

On December 24, 2020, the EU and the UK reached an agreement on the terms of their future cooperation following the end of the Brexit Transition Period (i.e., following 31 December 2020). The EU-UK Trade and Cooperation Agreement (the ‘Agreement’) contains a temporary solution for companies transferring personal data from the EEA to the UK, in the form of an extended period during which personal data may freely flow from the EEA to the UK (the ‘Extended Free Flow Period’). During this Extended Free Flow Period, companies will not need to put in place data transfer mechanisms – such as Standard Contractual Clauses (‘SCCs’) – or rely on the derogations in Article 49 of the EU GDPR in order to legitimize such data flows. In principle, the Extended Free Flow Period will last no longer than six months.

As we discussed in more detail in our advisory ‘Brexit and Data Protection: What You Need to Know’, during the Brexit Transition Period, the UK was considered for the purposes of the EU GDPR to be an EU Member State. This meant that personal data could flow from the EEA to the UK without the need to implement data transfer tools in accordance with the EU GDPR. If the Extended Free Flow Period had not been agreed, the UK would have been considered to be a ‘third country’ for these purposes as of 1 January 2021 – meaning that such data transfer mechanisms would have become necessary.

The Extended Free Flow Period is designed as an interim solution, put in place to give the European Commission extra time to consider whether it will award the UK a ‘decision of adequacy’. If the Commission does so, then companies will be able to freely transfer personal data from the EEA to the UK indefinitely (or at least until such time as the decision of adequacy is revoked – for example in response to a legal challenge).

However, it is still not guaranteed that the UK will qualify for a decision of adequacy (particularly in light of its national security laws and access to data by public authorities in the UK). The UK ICO has released a statement on the Extended Free Flow Period in which it appears to acknowledge this, advising that ‘as a sensible precaution, before and during this period’, companies in the UK receiving personal data from the EEA should put in place alternative transfer mechanisms to safeguard against future interruptions.

The Agreement also limits the UK’s ability to make changes to its data protection regime if it wishes to continue benefitting from the Extended Free Flow Period. However, the UK will still be able to make changes in some circumstances – such as where the change is ‘limited to alignment with the relevant [European] Union data protection law’. This is a helpful provision given that the European Commission is in the process of producing modernized SCCs. If the European Commission adopts them in the next six months, then presumably to UK will be free to adopt similar clauses.

Filed Under: Data Protection, GDPR, Privacy Tagged With: Adequacy, Brexit, Cross-border, EU Data Protection, EU Privacy, European Union (EU)

About Paul Greaves

Paul Greaves is a senior associate in the Brussels office and a member of Alston & Bird’sPrivacy, Cyber & Data Strategy Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.

[Read Bio]

About Wim Nauwelaerts

Wim Nauwelaerts is a partner in the Brussels office, leading Alston & Bird’s European Privacy, Cyber & Data Strategy Team. Wim has over 20 years of experience working with global companies on their data protection, privacy, and cybersecurity needs, including General Data Protection Regulation (GDPR) readiness, data transfer, data security and breach requirements, and compliance training.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • DOJ Issues New Policy on CFAA Prosecutions
  • EDPB Issues Draft Guidelines on the Calculation of Administrative Fines
  • The California Privacy Protection Agency Solicits Public Input on Forthcoming Privacy Regulations
  • U.S. Department of Commerce Announces the Establishment of a Global CBPR Forum
  • Colorado Issues Pre-Rulemaking Considerations for the Colorado Privacy Act
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.