Britain – as we know – ended its transition period at 11.00pm on 31st December and no longer operated as though it were a member of the European Union. (I say ‘Britain’ because in some ways Northern Ireland effectively remains within the EU.)
The implications for data protection were unclear up to the last moment, in particular regarding personal data transfers from the EU to the UK. However, on pages 406 and 407 of the 1246-page agreement drawn up at the last moment one finds Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom.
This says, quite simply, that for at least four months – and for a further two months unless one side objects – the UK will not be treated as a third country provided we make no changes to our existing data protection legislation.
As a result, there is no immediate need to implement any of the measures – such as Standard Contractual Clauses – discussed in my update before Christmas in relation to data transferred from the EU (plus Iceland, Liechtenstein and Norway).
The agreement makes reference to the possibility of the EU making an ‘adequacy’ decision about the UK within the next six months, which would then mean that transfers of data from the EU to the UK could continue as now. That would obviously be a good outcome for many organisations.
About Paul Ticher
Paul is author of Key Guides: Data Protection for voluntary organisations www.dsc.org.uk/dat published in Jan 2021
He is an independent specialist, with over 30 years’ experience of data protection in the voluntary sector. However, he is not a lawyer. It may not be a complete or accurate statement of the law, and it is not intended to be legal advice. It is also based on information available at the time of writing on 7/1/21.
If you have any questions on this blog, please do contact Paul at firstname.lastname@example.org