In our last Brexit data protection insight, we highlighted three main mechanisms through which data flows could continue between the UK and the EU post-Brexit. One of these was the EU making an adequacy decision, in other words confirming that it considers the UK to be a safe destination for personal data under the General Data Protection Regulations.
The UK and the EU have been working towards agreeing a deal in advance of the end of the transition period, which ends at 11pm on 31 December 2020. At the same time, talks in relation to an adequacy decision have been ongoing. However, it seems more than likely that such a decision will not be made by the end of the year and there is no basis for an interim decision under the current rules.
As we noted in our previous insight, the effect of this is that another legal basis for transferring data from the EU to the UK will need to be found. The most obvious safeguard is standard contractual clauses (SCCs). These clauses contain contractual obligations on the exporter of data as well as the importer – the objective being that the rights and freedoms of data subjects whose data is being transferred are protected where the party receiving the data is not subject to adequate rules.
A failure to put these mechanisms in place whilst still transferring data could lead to investigations and fines by the EEA data protection authorities. That said, it seems unlikely that this will happen as the talks on adequacy will continue in January.
It’s worth noting that this only affects transfers from the EU to the UK. The UK government has implemented regulations, which transitionally recognise all EEA countries (including EU Member States), Gibraltar and the EU institutions as “adequate”, thereby permitting data transfers to these countries to continue.
We will continue to post updates on this, along with other Brexit matters, as and when we get them. However, if you have any immediate concerns, you can contact us at [email protected]