What action you need to take regarding data protection and data flows with the EU/EEA after the end of the transition period.
New rules for January 2021
The UK has left the EU, and the transition period after Brexit comes to an end this year.
This page tells you what you’ll need to do from 1 January 2021. It will be updated if anything changes.
Check what else you need to do during the transition period.
This information is for UK businesses and other organisations that:
- receive and transfer personal data to/from organisations abroad, including the European Economic Area (EEA), which includes the EU
- operate in the EEA
Further information can be found on the Information Commissioner’s Office’s (ICO) website. The ICO is the independent supervisory authority for data protection in the UK.
What personal data is
Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.
An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.
Looking ahead to 1 January 2021
Receiving personal data from the EU/EEA and already adequate third countries
From 1 January 2021, your organisation may need to have Standard Contractual Clauses (SCCs) in place with EU counterparts in order to legally receive personal data from the EU.
The EU’s data adequacy assessment of the UK is underway and we are confident that adequacy decisions can be concluded by the end of the transition period. This would allow for the free flow of personal data from the EU/EEA to the UK to continue without any further action by organisations.
However, if the EU has not made adequacy decisions in respect of the UK before the end of the transition period, you should act if you want to ensure you can continue to lawfully receive personal data from EU/EEA businesses (and other organisations) in the future.
In this scenario, organisations will be required to put in place alternative transfer mechanisms to ensure that data can continue to legally flow from the EU/EEA to the UK. For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs). The ICO also provides more detailed guidance on what actions might be necessary and an interactive tool that allows you to build SCCs.
In addition to this, 11 of the 12 third countries deemed adequate by the EU have currently informed us they will maintain unrestricted personal data flows with the UK. Further information can be found on the ICO’s website.
For personal data flows from the UK
There are currently no changes to the way you send personal data to the EU, EEA, Gibraltar and other countries deemed adequate by the EU. If this situation changes, we will update this page.
For international data transfers from the UK to other jurisdictions, further information can be found on the ICO’s website.
Personal data provisions in the Withdrawal Agreement
This section provides an outline of the UK government’s view on the general application of the Withdrawal Agreement personal data protection provisions.
Organisations should be aware that Article 71(1) of the Withdrawal Agreement contains provisions that continue to apply EU data protection law to certain ‘legacy’ personal data in the event that the UK has not been granted full adequacy decisions by the end of the transition period. In accordance with the Withdrawal Agreement, references to EU law should generally be understood as the law applicable on the last day of the transition period.
Legacy data comprises personal data of individuals outside the UK (whether in the EEA or not) which is processed in the UK, where:
- it was acquired before the end of the transition period and processed under EU data protection law; or
- it is processed on the basis of the Withdrawal Agreement after the end of the transition period, for example if personal data is processed under a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement.
At the end of the transition period, EU data protection law will be converted into UK domestic law, with some minor technical amendments to ensure it is operable in the UK. UK and EU data protection law will therefore be aligned at the end of the transition period. Although UK organisations may not need to do anything differently immediately to accommodate the Withdrawal Agreement requirements in practice, they may want to consider, where possible, taking stock of the personal data they hold so they can identify and track relevant legacy personal data to which EU data law applies in line with the Withdrawal Agreement requirements.
Please monitor the ICO’s website for further guidance.
Appointing EU-based representatives
Some UK data controllers and processors may also need to appoint EU-based representatives from 1st January 2021. Further information can be found on the ICO’s website, or you can call the ICO helpline on 0303 123 1113 for further information (open Monday – Friday).
Data protection and GDPR
To date, during the transition period, there has been no change to the UK’s data protection standards. EU data protection laws, including the General Data Protection Regulation (GDPR), have continued to apply throughout the transition period alongside the Data Protection Act 2018. The Information Commissioner remains the UK’s independent supervisory authority on data protection.
After the end of the transition period, GDPR will be retained in UK law and will continue to be read alongside the Data Protection Act 2018, with technical amendments to ensure it can function in UK law. The UK remains committed to high data protection standards.
What you need to know about the transition period, data flows and EU-based representatives
During the transition period, personal data is able to flow freely (subject to GDPR compliance), without additional restrictions, between the EU/EEA and the UK. There is also no requirement for UK data controllers or processors to appoint EU-based representatives for the duration of the transition period. UK organisations are also still able to send personal data legally from the UK to the EEA and 12 countries currently deemed adequate by the EU.
On 16 July 2020 the Court of Justice of the European Union (CJEU or ECJ) invalidated the EU-US Privacy Shield adequacy decision with immediate effect in the Schrems II case, meaning this framework can no longer be relied upon for personal data transfers to US businesses and organisations.
The judgment upheld that EU standard contractual clauses (SCCs) remain a valid tool for the international transfer of personal data but only where they (together with any additional measures) provide for “essentially equivalent” protection as in the EU.
During the transition period, EU data protection law applies to the UK, and the Schrems II judgment and EU adequacy decisions are therefore binding on transfers of data leaving the UK. Further information can be found on the ICO’s website.