This provides a useful overview, amongst other things, as to whether:
- during the transition period, the General Data Protection Regulation (GDPR) continues to apply and data can be freely transferred between the UK and the EU;
- after the transition period, UK organisations processing personal data about data subjects in the EEA in connection with offering them goods or services, or monitoring their behaviour will still need to comply with the GDPR due to its the extra-territorial nature;
- for the immediate term after the transition period, the UK will recognise all EEA states, EU and EEA institutions, and Gibraltar as providing an adequate level of protection for personal data, meaning that personal data can flow freely from the UK to these jurisdictions;
- after the transition period, unless otherwise agreed in a trade deal, until the European Commission adopts an adequacy decision in respect of the UK, EEA businesses wishing to send personal data to a UK recipient will need to have adequate protections in place, likely in the form of a contract between the EEA exporter and the UK importer, incorporating the EU standard contractual clauses;
- after the transition period, unless otherwise agreed in a trade deal, the Information Commissioner’s Office (ICO) will no longer form part of the regulatory co-operation and co-ordination mechanisms under the GDPR and will therefore no longer have a seat on the European Data Protection Board (EDPB).
If you would like to discuss specific arrangements for support through the risks of the move to an uncertain future relationship, on how you might express the concerns of your business to governments, on dispute risks that may arise, or on any other questions or challenges you have, please do contact your regular Herbert Smith Freehills relationship contacts, or otherwise any of our experts listed here.