The Draft EU–UK Trade and Cooperation Agreement in the version from Dec 24 includes temporary provisions that enable EU–UK transfers of data without any further complications. The relevant part is in FINPROV.10A (page 406 ff). Essentially, the transition period is extended for a few months with regards to GDPR.
What will happen on Jan 1 regarding GDPR?
Nothing! The “transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country”. So for a short while, we can continue to treat the UK as a member state for data protection purposes.
When will this provision end?
If any of three events occurs:
- when the EU adopts an adequacy decision for the UK
- 4 months after the Agreement enters into force, extensible by 2 months (so likely after Apr or Jun)
- if the UK alters its data protection legislation in a manner with which the EU doesn't agree
How fast could this provision change?
After a notification of a change in UK law to which the EU does not agree, it could take up to five days + 2 weeks for the Partnership Council to reject the change. However, it seems to me that this provision could end without appreciable prior notice.
Which GDPR version will apply to the UK starting on Jan 1?
The UK GDPR will apply. Specifically, the “applicable data protection regime” is “the data protection legislation of the United Kingdom on 31 December 2020, as it is saved and incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018 and as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 [Footnote: As amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.]”
What about UK to EU transfers?
This Agreement only discusses EU to UK transfers. However, the UK government has previously pledged that it will consider the EU adequate.
The Agreement is pending ratification.
This post is purely informative and should not be construed as legal advice.
This post was first published by me on r/gdpr, with some changes.
- next post: Rust doesn't actually follow its Golden Rule (when it comes to async functions)
- previous post: gcovr 4.2