At the end of the transition period, UK domestic law will treat EU (and wider EEA) states and institutions as adequate on a transitional basis for the purposes of the UK GDPR, so personal data can continue to flow from the UK to the EEA without further safeguards needing to be implemented.
In order for the free flow of personal data from the EEA to the UK to continue at the end of the transition period, we are seeking an adequacy decision from the EU under the GDPR. Our view is that the UK more than meets the ‘essentially equivalent’ adequacy test. However, if the EU has not made an adequacy decision in respect of the UK before the end of the transition period, there are alternative mechanisms which organisations in the EU/EEA can use to lawfully continue to send personal data to the UK from 1 January 2021. Standard Contractual Clauses (SCCs) are the most common legal safeguard and will be the relevant mitigation for most organisations.
These measures should address any potential risk of challenge from privacy advocates.