News

Brexit GDPR

11.01.2021

With the expiry of the Brexit transition period on 31 December 2020, the United Kingdom (UK) is no longer subject to European Union (EU) law, which includes the General Data Protection Regulation (GDPR). Even though the UK’s Data Protection Act 2018 directly mirrors the GDPR, the EU has not formally recognised the UK as having an ‘adequate’ domestic data protection regime.

This situation would threaten serious consequences for UK and EU businesses needing to exchange personal data. Therefore, the Trade & Cooperation Agreement (TCA), agreed by the UK and EU just before the end of 2020 to address general ongoing relations between them, extends a grace period to ‘buy’ time for mutual acknowledgements of adequacy. During this period (until May or July 2021), the UK will continue to be treated as a European Economic Area (EEA) member state for GDPR purposes, provided it does not diverge further from the EU’s data protection regime.

Crucially, this would seem to preclude any close data sharing between the UK and United States of America (USA). It also requires the UK to specifically maintain EU standards on individual consent for direct electronic marketing, such as email and SMS messaging.

It is not clear how quickly mutual adequacy could be established. The TCA allows four to six months which, all else being equal, ought to be sufficient. However, in the current political and economic climate, it is not inconceivable that either party may decide that other issues should be given higher priority.

While this situation may be of greatest direct concern to UK based data handlers, it also applies to any other business around the world with an interest in transferring data in and out of the UK.

If you have any questions about data protection or privacy including collecting, storing, and processing personal data in Australia, the UK or EU, please contact our specialist team.

This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.

© Moulis Legal 2021