The EU-UK Trade and Cooperation Agreement requires adapting to new trading arrangements, rules and regulations. This information for businesses trading cross-border between Ireland and Northern Ireland covers GDPR, data protection and data transfers.
The EU has formally recognised the UK’s high data protection standards. This will allow the continued seamless flow of personal data from the EU to the UK and is expected to last until 27 June 2025.
The decisions mean that UK businesses and organisations can continue to receive personal data from the EU and EEA without having to put additional arrangements in place with European counterparts. This GOV.UK press release explains more about the Data Adequacy Agreement.
How do EU and UK rules for GDPR compare?
The General Data Protection Regulation (GDPR) is the EU wide regulation that contains the data protection rules. These common rules set out the obligations of businesses and organisations that acquire, hold, control or deal with personal data and the rights of persons to whom the information relates.
UK GDPR is the retained version of the EU GDPR which forms part of UK law. As of March 2023, the Data Protection and Digital Information (No.2) Bill is before Parliament which, if and when passed into law, will replace and update UK GDPR with new comprehensive UK legislation. The UK Information Commissioner's Office website has a comprehensive guide to the UK General Data Protection Regulation.
How do EU and UK rules for data protection compare?
Data Protection is about the privacy of information (data) relating to people. It covers any information collected, held or used by a business or organisation that relates to a living person in any way that is held in electronic form or in a physical filing system.
The EU Commission adopted two adequacy decisions in June 2021 for transfers of personal data to the United Kingdom, one under the General Data Protection Regulation and the other for the Law Enforcement Directive. The Information Commissioner's Office has a helpful overview of Data Protection and the EU.
The UK Government has stated that transfers of data from the UK to the EEA EU (plus Iceland and Norway and Liechtenstein) are permitted. It says it will keep this under review. Up to date information is available from the UK Information Commissioner's Office.
How do EU and UK rules for data transfers compare?
The wider EU-UK Trade and Cooperation Agreement contained a bridging mechanism that allowed the continued free flow of personal data from the EU/EEA to the UK after the transition period, until adequacy decisions came into effect, for up to 6 months until 1st July 2021.
On 28 June 2021, the EU made adequacy decisions which recognise the UK’s data protection standards. This decision is due to apply until 27 June 2025 when it is to be reviewed further.
The UK Government has also confirmed that transfers of data from the UK to the EU/EEA are permitted and that this decision will be kept under review.
- Information Commissioner's Office: Overview - Data Protection and the EU.
- GOV.UK: Guidance on Using personal data in your business or other organisation.
- The Data Protection Commission Ireland: Information about organisational obligations under data protection legislation and the General Data Protection Regulation.
Article reviewed: 27 March 2023