On 24 December 2020, the European Commission (CE) announced the conclusion of the Trade and Cooperation Agreement with the United Kingdom, following its withdrawal from the European Union (EU) and the end of the succeeding transition period. The Agreement has now been published by the EC and it establishes a transitional regime for international data transfers between Member States and the United Kingdom.

Under the General Data Protection Regulation (GDPR), transfers of personal data to countries outside the European Economic Area (EEA) are subject to a set of rules. The rules vary depending whether or not the EC has issued an adequacy decision concerning the level of protection provided by the legislation of the country receiving the data. Where no adequacy decision exists, organisations, in order to perform the international transfers, must therefore implement one of the legal instruments ensuring appropriate safeguards foreseen in the GDPR, including, for example, the conclusion of contracts containing the standard contractual clauses approved by the EC.

The transition period following the departure of the United Kingdom from the EU, will finish on 1 January 2021, having strong implications in this context. This situation is aggravated by the absence of an adequacy decision from the EC (which may be more difficult after the Privacy International judgment of the Court of Justice of the European Union). Therefore, data transfers to this country – which were so far considered as transfers within the EEA –, would be subject to the regime applicable to transfers of personal data to third countries.

The now published Trade and Cooperation Agreement safeguards the position of organisations transferring personal data to the United Kingdom. It provides a period of 4 months (extendable for 2 months, provided there is no opposition from the parties to the Agreement) within which transfers of personal data to the United Kingdom shall not, exceptionally, be considered as transfers to a third country. This transitional regime, which has raised a number of questions as to its articulation with the GDPR and EU primary law, is applicable provided that the following conditions are met:

It is also foreseen that the transitional period of 4 months can be shortened if:

The ratification process of the Agreement should be concluded within the first months of 2021, namely after approval by the European Parliament. In the meantime, and to avoid a legal gap in the provisions regulation the relationship between the EU and the United Kingdom, pursuant to expectable decisions of the Council and British Parliament, the Agreement shall be provisionally applied from 1 January 2021 onwards.