What the UK-EU Trade and Co-operation Agreement means for personal data

The new agreement between the UK and EU covers a huge range of issues, however, one thing that couldn’t be included was the flow of personal data between the UK and EU. We have written previously about the separate process that will determine whether the UK has an “adequate” level of protection for personal data.

If adequacy status is awarded, personal data will continue to be able to move freely between the UK and EU, as it did while the UK was a member of the EU.

What constitutes personal data?

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

An example of this is a UK company that receives customer information from an EU company, such as names and addresses, to provide goods or services.

What was the outcome of the adequacy assessment?

The EU was unable to complete the adequacy assessment before the end of the transition period. This was hardly surprising given the fastest adequacy assessment to date, for Argentina, took 18 months. Usually it takes much longer.

So, what now?

The UK and EU have agreed a ‘bridging mechanism’ for personal data flows. This will ensure continuity of personal data flows for an initial period of four months. If the EU still hasn’t completed its assessment by the end of this four-month period, then it will be extended for a further two months, providing neither side object to an extension.

There are currently no provisions to extend the bridging mechanism beyond six months, however both sides are confident that the assessment should be completed within the six-month period.

Take action

While the UK Government is confident it will be deemed adequate, this is not guaranteed. It is also entirely possible for adequacy status to be rescinded at any point, without any warning, if the UK is deemed to have reduced its level of protection for personal data.

As a sensible precaution during the bridging mechanism, businesses and other organisations should consider putting in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data – for example to establish a standard contractual clause to keep data flowing.

Businesses should use the Information Commissioner’s Office (ICO) website to look for the latest changes to guidance and outcome of the adequacy agreement decision.

Webinar

Just before Christmas, we ran a webinar on this very topic. Neil Ross, Policy Manager, Digital Economy at techUK and Ben Nash from the Department for Digital, Culture, Media and Sport outlined the issues and actions businesses should consider. This webinar is available for members to view, and the content is largely still relevant.