EU-UK Trade and Cooperation banner EU-UK Trade and Cooperation banner EU-UK Trade and Cooperation banner

The newly implemented EU-UK Trade and Cooperation Agreement (“Trade Agreement”) brings change to many facets of life. As we adjust to these new developments, we would like to bring one particular area to your attention: the impact the Trade Agreement has on data protection and privacy. From the current interim period, to changes that went into immediate effect, we break down everything you need to know.

1. The interim period is dependent on the UK data protection law remaining as it was on 31 December 2020 and the UK not exercising any “designated power” without EU agreement. Designated powers include introducing new standard/model clauses, new codes of conduct and certification mechanisms, or new binding corporate rules.
2. It will last for a maximum period of four months with the possibility of an extension of two additional months.
3. It also applies to the transmission of personal data to the UK from Iceland, Liechtenstein and Norway.

The Agreement makes it clear that this interim period will only work as long as both parties do their part to ensure the protection of individuals’ personal data. The Law Enforcement & Judicial Co-operation section of the Trade Agreement will be suspended at the first wind of any inadequacies.

1. European representatives: UK organizations targeting EU individuals must appoint a representative located in one of the EU members states. This change also applies for global organizations that currently have their European representative located in the UK: they must appoint one residing in an EU member state.
2. Regulators: Organizations operating in both the EU and the UK now have at least two regulators (the UK ICO and the corresponding EU authority) to report to.
3. Accountability: Organizations need to be prepared to take appropriate action if the UK does not receive an adequacy decision at the end of the interim period, e. implementing standard contractual clauses (SCCs) and binding corporate rules (BCRs) and international data transfer impact assessments.

Our teams of professionals, in Luxembourg and abroad, understand the dynamics of a successful data protection and privacy program. Reach out and let us help you and your organization navigate the challenges of the current and future data protection landscape.