As you will be well aware, on the 24 December 2020 the UK Government and the EU announced that they had successfully agreed a trade deal that would govern relationships between the EU and the UK post-Brexit (i.e. from 1 January 2021).
The agreement takes the form of nearly 2,000 pages of legal text, side letters and declarations and lawyers around the country are scrambling to try and understand the impact of the deal across a wide variety of sectors.
Something we have been asked a lot over the last 12 months is “what happens regarding data protection in 2021?”. We now have an answer, for the time being at least.
Buried at page 406 of the trade deal, at paragraph 1 of Article FINPROV.10A, it is confirmed that for a ‘specified period’ the UK shall not be treated as a third-country for data protection purposes. This means that data can flow from the EU into the UK, and from the UK into the EU in the same way as it has done since GDPR came into law in May 2018.
The ‘specified period’ is a period of four months, automatically extending by a further two months (unless either of the EU or the UK object to the extension). This period will automatically end if the UK changes the Data Protection Act 2018 without the EU’s prior consent.
What can be inferred from the wording around data protection is that the deal is merely a ‘stop-gap’ that is buying the EU and the UK a six-month period in which to agree an adequacy decision that would mean that the UK would not be classed as a third-country and data could move freely between the EU and the UK much as it did prior to Brexit.
So, in conclusion, the panic about data protection post-Brexit is over. Nothing will change on 1 January 2021. At least until June 2021 when the specified period expires.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.