This mechanism remains valid for British companies that send data to the US under the Privacy Shield agreement (and US organizations that receive DATA from the UK under Privacy Shield), but the text of the data protection shield privacy policy needs to be updated. We already know that the Data Protection Act 2018 provides that most of the RGPD will apply to the UK after Brexit, and the government has said that even in a no deal scenario, it will maintain data flows to the EEA for the foreseeable future. We have also known for some time that the EU would not start negotiating properly until after the withdrawal agreements have been concluded, but it is encouraging to see that the UK could not be sneaky. Unless the parties decide, before 1 July 2020, to extend the transitional period from 1 to 2 years, the whole of eu primary and secondary law will no longer apply in the United Kingdom from 1 January 2021. The transfer of personal data to the United Kingdom is then subject to the requirements of Chapter V of the RGPD and the Criminal Prosecution Directive. The European Commission has published a series of opinions outlining the consequences in a number of areas of action to prepare citizens and stakeholders for the UK`s withdrawal. During this transitional period, the UK government and the EU will ideally negotiate a data protection agreement that meets the needs of both parties, whether it is an adequacy decision, a data protection shield agreement or another agreement allowing the free flow of data between the UK and the EU. The UK and EU said they are „committed to ensuring a high level of protection of personal data to facilitate such flows between them“ and hope to have agreements reached by the end of the transition period. After years of turmoil, the UK finally seems to have an agreement defining how it will leave the European Union (EU). Prime Minister Boris Johnson`s withdrawal deal shares many similarities to the withdrawal agreement put forward by his predecessor Theresa May, particularly with regard to data protection requirements. It is a clear bet that Brexit will dominate in Britain in 2019 and that preserving the free flow of personal data is one of the highest priorities on both sides. A technical agreement has been reached on the draft withdrawal agreement and on the political declaration on future relations, both of which contain a number of references to data protection. It remains to be seen whether or not one of the agreements will survive in its current form, but it is encouraging to see that the focus is on maintaining cross-border data flows.

After this transition period, if no agreement, agreement or trade agreement is reached between the UK and the EU, the UK will leave the country in a non-agreement scenario and become a `third country`. As the CSO has already pointed out, UK organisations and organisations that carry out UK activities that receive personal data from the EU must, in such a scenario, ensure that they have additional legal controls, such as standard contractual clauses or binding business rules, to ensure compliance with the RGPD. The RGPD and EU fines continue to be imposed on third countries when dealing with personal data of EU citizens. If a adequacy decision is not adopted, another option could be a data protection shield agreement currently in place between the UK and the US. Under the agreement, a transitional period is in effect until 31 December 2020, during which current EU rules will continue to be applied by the UK and can begin negotiations on the way forward (the option to extend the transition period has been removed from the most recent version).