Press enter to search, esc to close
As an IP, if you are dealing with any UK businesses and organisations that rely on international data flows, target European customers or operate inside the EEA, 31 December 2020 is a key date.
When the UK left the EU, the transition period was set up until the end of 2020 to allow time to negotiate a new relationship with the EU. However, negotiations continue, and we are still no clearer as to what may happen.
After the transition period ends, the EU’s GDPR will no longer be law in the UK. However, the GDPR will be brought into UK law, meaning it will continue to apply.
The key principles, rights and obligations of data protection will remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA, and for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA.
After transition, the UK will become a "third country" (i.e. it falls outside of the GDPR zone). Hopefully, the EU will make an adequacy decision regarding the UK. This is where the European Commission determines whether a third country has an adequate level of data protection. If it does, then personal data can be sent from an EEA state to a third country without the need for any further safeguarding measures.
However, until an adequacy decision has been made, the transfer of personal data from the EEA to the UK will only be allowed if ‘appropriate safeguards’ are in place. The government has confirmed that transfers of data from the UK to the EEA will not be restricted. This decision means you will only need to consider safeguarding measures for ensuring that data can continue to flow into the UK.
The GDPR will still apply to any organisations in Europe that send you data.
You must understand the business’s international flows of personal data from the EEA to the UK, and in particular prioritise transfers of large volumes of data, special category data or criminal convictions and offences data, and any business-critical transfers.
As no adequacy decision is in place, in order for an EEA controller or processor to be able to make a restricted transfer of personal data to the UK, it must put in place one of the EU GDPR’s list of appropriate safeguards.
For most businesses that you will deal with, a convenient and appropriate way to safeguard a data transfer is by entering into a contract and incorporating standard data protection clauses adopted by the European Commission. These are known as Standard Contractual Clauses.
Following the Schrems II judgment in July, the European Data Protection Board published its recommendations in November on “measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. The European Commission also published updated Standard Contractual Clauses.
The above documents were subject to public consultation, though these windows have recently closed. The ICO has already stated that it expects organisations to act swiftly once further guidance emerges. As such, after the EDPB/EC have confirmed the final documents, all organisations will need to move quickly to regularise and align their international data transfer relationships with the new guidance. This will include reviewing and repapering all existing contracts which rely on the SCCs, to include the updated version.
In anticipation of this, TLT has configured one of its AI tools to be able to read existing contracts, identify where the “old” SCCs are currently used and flag where changes are required. This enables us to manage the process of updating large volumes of contracts much more cost effectively than by undertaking manual reviews. If this tool is something that you believe would benefit the businesses under your control, please get in touch.
Alternatively, if you are dealing with a multinational company with affiliates in the EEA (which is less likely), the business may already have in place binding corporate rules, which have been authorised under the EU process before the end of the transition period. These BCRs will continue to provide an appropriate safeguard for personal data transfers from the EEA to the UK. However, they will need to be updated at the end of the transition period to recognise the UK as a third country outside the EEA, for the purposes of the EU GDPR.
As we reach the end of an unprecedented year, the UK is still not in a clear position with regards to Brexit and its new relationship with the EU. IPs must therefore continue to be mindful of this shifting landscape and stay up to date with the evolution of data protection rules. In particular, IPs should ensure that the transfer of any data from the EEA into the UK has appropriate safeguards. If that is by way of Standard Contractual Clauses, it’s important they are fully aware of the anticipated guidance that is due to emerge, which may call for amendments to existing contracts.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
17 December 2020