As part of the post Brexit trade deal struck at the eleventh hour between the UK and the EU over the Christmas period, agreement was reached to extend current data protection arrangements regarding the transfer of data between the EU/EEA and the UK for a further 6 months.
The arrangement means that businesses in the EU/EEA will still be able to safely transfer personal data to the UK without the need for the additional safeguards to be in place, as referred to in our earlier article. The arrangement is for 6 months to allow for adequacy decisions to be made. An adequacy decision is a formal assessment by the EU that a non EEA organisation or state has adequate data protection provisions. Where one has been made for a country, data can be transferred to that country without further requirements. As the UK currently operates under the GDPR, and therefore the same rules as the EU, an adequacy decision should in theory be a formality.
The Information Commissioners Office (ICO) statement on the same can be found here. The ICO is still recommending that as a sensible precaution “businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data”. Therefore, businesses that rely upon the transfer of personal data from the EU/EEA may want to ensure, if they have not already done so, that they have in place adequate terms, including standard contractual clauses where required, as a fall back in the event that there are any delays or difficulties with an adequacy decision for the UK.