Data transfers under the GDPR after the UK’s withdrawal from the EU

20 May 2021

To date, organisations have not had to make any changes to how they transfer personal data between the European Economic Area (EEA) and the United Kingdom (UK) as a result of Brexit. This may change after 30 June 2021, if the European Commission does not make an adequacy decision in relation to the UK.

We have included a brief timeline of events impacting the regulation of data transfers between the EEA and UK below.

On 31 January 2020, the UK officially left the European Union (EU), however EU laws and regulations continued to apply to data transfers in the UK until 31 December 2020 under a transitional agreement reached between the two parties.

As of 1 January 2021, the transition period ended and therefore the GDPR no longer applied to the processing of personal data in the UK.

The lapsing of this transition period had two key impacts for organisations transferring data between the EEA and UK:

  1. the UK became a ‘third country’ for the purposes of the GDPR. This meant that the provisions of Chapter 5 (requiring appropriate safeguards) applied to any transfer of personal data from the European Economic Area to the UK; and
  2. organisations were required to comply with both the GDPR and data protection laws in force in the UK.

The impact of organisations needing to comply with Chapter 5 of the GDPR in relation to transfers of data to the UK was ameliorated by the EU-UK Trade and Cooperation Agreement.

The EU-UK Trade and Cooperation Agreement allows organisations to continue to share personal data without the need to put in place an alternative transfer mechanism under the GDPR. This interim regime ends on 30 June 2021, however it is anticipated that the European Commission will adopt an adequacy decision for the UK before that date (the process commenced on 19 February 2021).

If this does occur, organisations can continue to transfer personal data to the UK without any further conditions.