Last-minute Brexit deal extends free flow of personal data to UK with 6 months

On 24 December 2020, the EU and the UK reached an agreement over some essential Brexit modalities, including the exchange of personal data between the EU and the UK.

As of 1 January 2021, the UK qualifies as a ‘third country’ pursuant to the EU General Data Protection Regulation 2016/679 (GDPR). From a data protection perspective, this means, in principle, that additional measures must be implemented to secure any transfer of personal data to recipients in the UK, as the UK will no longer benefit from the high level of protection of personal data ensured by the GDPR. Also, the Schrems II ruling of the EU Court of Justice (more information here), and the requirement to perform a data transfer risk assessment (including an assessment of the adequacy of the use of EU standard contractual clauses for international data transfers), will in principle fully apply to the UK after Brexit.

The trade deal addresses this point by providing that the EU and the UK envisage to have the UK maintain an adequate level of data protection post-Brexit, which would allow for a continued free flow of personal data.

The deal includes several obligations and restrictions (e.g. Part 2, Heading 1, Title III, Chapter 2) to ensure the (continued) equivalent protection and free flow of personal data between the EU and the UK. More specifically, the deal includes an interim provision for the transfer of personal data to the UK, confirming that data transfers to the UK shall not be qualified as transfers to a ‘third country’ during a transitional period that shall end after four months (as of 1 January 2021), which period shall be extended by two further months unless the UK or the EU objects thereto. The transitional period can also expire earlier, if an official adequacy decision for the UK is adopted by the European Commission. Although it remains to be seen whether an adequacy decision shall be adopted within the transitional period of (maximum) 6 months, such period is a welcome interim solution as it allows companies to continue mapping their data flows, conducting their risk assessment, and preparing for the implementation of additional requirements should the need arise.

Related : Loyens & Loeff CVBA ( Mrs. St├ęphanie De Smedt )


Mrs. St├ęphanie De Smedt Mrs. St├ęphanie De Smedt
Senior Associate - Attorney
[email protected]

Lastest articles by Mrs. St├ęphanie De Smedt

How will the B2B law affect general terms and conditions?

With the Law of 4 April 2019 concerning the abuse of economic dependence, unfair clauses and unfair market practices in B2...

Read more

New rules on B2B contracts in Belgium ÔÇô are you ready?

An Act of 4 April 2019 introduced three new sets of rules governing B2B-relationships: (1) a prohibition of unfair market ...

Read more

Belgian Data Protection Authority scrutinised by Brussels Markets Court

In February 2020, the Markets Court (a division of Brussels’ Court of Appeal) annulled the decision by which the Bel...

Read more

Belgian Data Protection Authority releases recipe for compliant cookies

During these corona times, we have noticed a trend whereby many of us have started baking (cookies, cakes, and other delic...

Read more

LexGO Network