On December 24, 2020, the EU and the UK reached an agreement on the terms of their future cooperation following the end of the Brexit Transition Period (i.e., following 31 December 2020). The EU-UK Trade and Cooperation Agreement (the ‘Agreement’) contains a temporary solution for companies transferring personal data from the EEA to the UK, in the form of an extended period during which personal data may freely flow from the EEA to the UK (the ‘Extended Free Flow Period’). During this Extended Free Flow Period, companies will not need to put in place data transfer mechanisms – such as Standard Contractual Clauses (‘SCCs’) – or rely on the derogations in Article 49 of the EU GDPR in order to legitimize such data flows. In principle, the Extended Free Flow Period will last no longer than six months.
As we discussed in more detail in our advisory ‘Brexit and Data Protection: What You Need to Know’, during the Brexit Transition Period, the UK was considered for the purposes of the EU GDPR to be an EU Member State. This meant that personal data could flow from the EEA to the UK without the need to implement data transfer tools in accordance with the EU GDPR. If the Extended Free Flow Period had not been agreed, the UK would have been considered to be a ‘third country’ for these purposes as of 1 January 2021 – meaning that such data transfer mechanisms would have become necessary.
The Extended Free Flow Period is designed as an interim solution, put in place to give the European Commission extra time to consider whether it will award the UK a ‘decision of adequacy’. If the Commission does so, then companies will be able to freely transfer personal data from the EEA to the UK indefinitely (or at least until such time as the decision of adequacy is revoked – for example in response to a legal challenge).
However, it is still not guaranteed that the UK will qualify for a decision of adequacy (particularly in light of its national security laws and access to data by public authorities in the UK). The UK ICO has released a statement on the Extended Free Flow Period in which it appears to acknowledge this, advising that ‘as a sensible precaution, before and during this period’, companies in the UK receiving personal data from the EEA should put in place alternative transfer mechanisms to safeguard against future interruptions.
The Agreement also limits the UK’s ability to make changes to its data protection regime if it wishes to continue benefitting from the Extended Free Flow Period. However, the UK will still be able to make changes in some circumstances – such as where the change is ‘limited to alignment with the relevant [European] Union data protection law’. This is a helpful provision given that the European Commission is in the process of producing modernized SCCs. If the European Commission adopts them in the next six months, then presumably to UK will be free to adopt similar clauses.
