With the understandable focus on measures to ease lockdown, keeping up with data protection announcements is unlikely to be at the forefront of everyone’s minds.
However, February saw the UK reach an important milestone in the road towards a more lasting framework for EU data transfers post-Brexit, according to the UK’s Information Commissioner, Elizabeth Denham.
What has happened? And how do the developments help UK and EU organisations, now and in the future?
Transfers to the UK
On 19 February 2021, the European Commission published a draft adequacy decision under the EU GDPR (and another directive) for transfers of personal data to the UK. If approved, this will allow for the continued free flow of personal data from the EU into the UK.
The EU GDPR has always stipulated that the transfer of personal data to a third county must be covered by an adequacy decision or appropriate safeguards, unless very limited exceptions apply.
The purpose of this restrictive framework is to ensure that the data will receive protection ‘essentially equivalent’ to the standard under the EU GDPR, no matter where in the world it ends up.
As a result of Brexit, the UK became a third party for these purposes – a change in status that has massive implications for the movement of data that had previously flowed freely within the same regime.
Under the EU-UK Trade and Cooperation Agreement, the EU confirmed it would allow the ongoing free flow of personal data between the EU and UK, but this bridging arrangement was always intended to be temporary and is due to expire on 30 June 2021.
The recent publication of the draft adequacy decision is good news – a step towards a more stable footing, with approval under the adequacy decision set to last for four years before the next review. However, there are still several stages left in the process before the draft receives final approval.
There will be pressure on the EU to complete the process before the interim arrangement expires, but the ICO is also advising organisations to consider preparing other appropriate safeguards – such as Standard Contractual Clauses – to plug any gap in the timeline.
Transfers from the UK
Organisations need to remember that Brexit has also changed the framework for transferring personal data from the UK. This is now regulated by UK GDPR.
- Adequacy decisions (or adequacy regulations under UK GDPR) – Currently, the UK regime broadly mirrors the EU GDPR. Provisions permit the transfer of personal data from the UK to the EEA and to any country which was, as on 31 December 2020, covered by a European Commission adequacy decision. However, this will be kept under review by the UK Government, with powers for different adequacy regulations to be made.
- Standard Contractual Clauses (SCCs) – Existing EU SCCs can still be used for existing and new transfers. The ICO has published guidance on updating the language in the SCCs to reflect the new legal framework and entities involved, but the basic mechanics are unchanged. However, the EU is expected to publish new SCCs later in the year, and these will not be appropriate for use by UK data exporters. The ICO also intends to produce UK SCCs in 2021.
The Information Commissioner has said recent developments get us “a step closer to having a clear picture”. However, there are still issues to resolve and organisations should expect to be impacted by further updates on both the EU and UK regimes in the coming months. This remains an area to keep an eye on.
For further support email email@example.com or visit our website www.clarkslegal.com