Update Brexit and data protection: GDPR no longer applicable?
Until the United Kingdom left the European Union, data transfers to the United Kingdom were based on its status as a member state of the EU. With Brexit, the rules of the General Data Protection Regulation would now apply to data transfers to third countries. A new legal basis would have to ensure that there continues to be an adequate level of protection for data processing in the UK.
A suitable legal basis could emerge in an adequacy decision by the EU Commission. This has not yet been taken due to the ongoing negotiations of a trade and cooperation agreement between the UK and the EU.
Brexit has happened, so the General Data Protection Regulation is no longer applicable? No, the negotiations are dragging on, as is the applicability of the General Data Protection Regulation for data transfers to the UK. According to the Trade and Cooperation Agreement, data exchange is possible for four months, plus two months of possible extension, as if the UK were still an EU member. Whether the European Commission will make an adequacy decision during this time remains to be seen. For more information, please see the press release from the Conference of Independent Data Protection Supervisors:
Monday, January 4, 2021