Prior to the end of the Brexit transition period, the UK and the EU agreed the Trade and Cooperation Agreement, which provides the framework for trade between the EU and UK following the expiration of the Brexit transition period on 31st December 2020.
On the 1st January 2021, the UK would have become a “third country” for the purposes of the EU General Data Protection Regulation (“GDPR”). A “third country” is any country outside the European Union and the European Economic Area for whom the GDPR does not constitute part of its legal system. The practical implications of this would have been that transfers of personal data from the EU to the UK could only take place if there are “appropriate safeguards” in place or if the European Commission formally recognised that the UK has implemented adequate levels of protection for personal data (known as a “adequacy decision”).
So what has the Trade and Cooperation Agreement done? This Agreement has extended the Brexit transition period (in respect of data protection) for a “specified period” of up to six months. Therefore, potentially the UK will not be considered to be a “third country” until the end of June 2021, for the purposes of data transfers. However, there is a caveat to this extension, that is, if, during the “specified period”, the UK amends its data protection laws (which were in place on 31st December 2020) or exercises certain powers under the Data Protection Act 2018, or UK GDPR without the agreement of the EU Partnership Council, the “specified period” shall end and the UK will then be considered to be a “third country”.
This is welcome news for Irish businesses, as businesses can continue to transfer personal data between the EU and UK without having to adopt any additional safety measures for the duration of the “specified period”. Furthermore, any personal data being transferred from the UK to the EU can continue (without interruption) as the UK has recognised the EU Member States as “adequate” jurisdictions for the purposes of UK data protection law.
However, businesses must note that this relief is only for a specified period of time. If no decision is made by the European Commission as to whether the UK has adequate levels of data protection prior to June 2021, businesses will be placed back in the position of potentially adopting additional safety measures to ensure the safe uninterrupted flow of personal between its business and the UK.
If you are concerned about the impact of Brexit on your business and/or you wish to discuss implementing appropriate data protection safeguards in your business, we at Kane Tuohy LLP, have a dedicated Data Protection department available to help you with any of your requirements.
This Article is not intended as legal advice. For specific queries, please liaise with Sarah Reynolds or Rita Higgins whose details are set out below.