Companies trading with countries in the EU or European Economic Area (which adds in Iceland, Norway and Liechtenstein to the EU 27) are warned it may be illegal to transfer personal information across the new borders after the Brexit transition period ends on 31 December 2020.
A release sent out by the UK Department of Media, Culture & Sport says that if you are a UK business or organisation that receives personal data from the EU or EEA, “you may need to take extra steps to ensure that the data can continue to flow legally as we transition to our new relationship with the EU in January 2021. Visit gov.uk to check how you can legally continue to receive personal data such as names, addresses or payroll details from organisations in the EU or EEA from January 2021."
This type of information is regularly used in the daily running of businesses and organisations – for example, in relation to human resources, sales, purchasing or marketing. This includes names and addresses of customers, suppliers or partners to provide goods or services and could also IP addresses or human resources data, such as staff working hours and payroll details.
Earlier a ruling by the EU's top court in Luxembourg last Tuesday morning dealt a serious blow to the prospect of digital information being able to flow freely to the EU/EEA after Brexit.
From January 1, the United Kingdom loses its automatic status as a safe destination for EU data because it falls out of the EU's legal system. Now the U.K.'s data protection regime needs to get a stamp of approval from the European Commission in what is known as an "adequacy decision." But the Court of Justice of the European Union last Tuesday deemed the U.K.'s bulk data collection regime illegal under EU law. It said that legislation like Britain’s Investigatory Powers Act — rules that give local national security agencies authority to harvest people’s information — fails to protect fundamental rights. Similar rulings also affect Belgian and French laws. So such a a stamp of approval is unlikely.