As an IP, if you are dealing with any UK businesses and organisations that rely on international data flows, target European customers or operate inside the EEA, 31 December 2020 is a key date.
When the UK left the EU, the transition period was set up until the end of 2020 to allow time to negotiate a new relationship with the EU. However, negotiations continue, and we are still no clearer as to what may happen.
After the transition period ends, the EU’s GDPR will no longer be law in the UK. However, the GDPR will be brought into UK law, meaning it will continue to apply.
The key principles, rights and obligations of data protection will remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA, and for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA.
After transition, the UK will become a "third country" (i.e. it falls outside of the GDPR zone). Hopefully, the EU will make an adequacy decision regarding the UK. This is where the European Commission determines whether a third country has an adequate level of data protection. If it does, then personal data can be sent from an EEA state to a third country without the need for any further safeguarding measures.
However, until an adequacy decision has been made, the transfer of personal data from the EEA to the UK will only be allowed if ‘appropriate safeguards’ are in place. The government has confirmed that transfers of data from the UK to the EEA will not be restricted. This decision means you will only need to consider safeguarding measures for ensuring that data can continue to flow into the UK.
The GDPR will still apply to any organisations in Europe that send you data.
You must understand the business’s international flows of personal data from the EEA to the UK, and in particular prioritise transfers of large volumes of data, special category data or criminal convictions and offences data, and any business-critical transfers.
As no adequacy decision is in place, in order for an EEA controller or processor to be able to make a restricted transfer of personal data to the UK, it must put in place one of the EU GDPR’s list of appropriate safeguards.
For most businesses that you will deal with, a convenient and appropriate way to safeguard a data transfer is by entering into a contract and incorporating standard data protection clauses adopted by the European Commission. These are known as Standard Contractual Clauses.
Following the Schrems II judgment in July, the European Data Protection Board published its recommendations in November on “measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. The European Commission also published updated Standard Contractual Clauses.
The above documents were subject to public consultation, though these windows have recently closed. The ICO has already stated that it expects organisations to act swiftly once further guidance emerges. As such, after the EDPB/EC have confirmed the final documents, all organisations will need to move quickly to regularise and align their international data transfer relationships with the new guidance. This will include reviewing and repapering all existing contracts which rely on the SCCs, to include the updated version.
In anticipation of this, TLT has configured one of its AI tools to be able to read existing contracts, identify where the “old” SCCs are currently used and flag where changes are required. This enables us to manage the process of updating large volumes of contracts much more cost effectively than by undertaking manual reviews. If this tool is something that you believe would benefit the businesses under your control, please get in touch.
Alternatively, if you are dealing with a multinational company with affiliates in the EEA (which is less likely), the business may already have in place binding corporate rules, which have been authorised under the EU process before the end of the transition period. These BCRs will continue to provide an appropriate safeguard for personal data transfers from the EEA to the UK. However, they will need to be updated at the end of the transition period to recognise the UK as a third country outside the EEA, for the purposes of the EU GDPR.
As we reach the end of an unprecedented year, the UK is still not in a clear position with regards to Brexit and its new relationship with the EU. IPs must therefore continue to be mindful of this shifting landscape and stay up to date with the evolution of data protection rules. In particular, IPs should ensure that the transfer of any data from the EEA into the UK has appropriate safeguards. If that is by way of Standard Contractual Clauses, it’s important they are fully aware of the anticipated guidance that is due to emerge, which may call for amendments to existing contracts.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at December 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Beyond BrexitRead more
Beyond Brexit: services trackerRead more
Claire Graham joins board of North West Fraud ForumRead more
Happy Diwali 2020Read more
How IPs should manage personal data deletionRead more
New ICO guidance on handling DSARsRead more
TLT expands restructuring and insolvency team in ScotlandRead more
TLT grows Legal 500 rankingsRead more
Uber case highlights risks of automated decisions about employeesRead more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
The widespread disruption and closure of businesses caused by the Covid-19 pandemic and the subsequent national and local lockdowns has brought into sharp focus the question of available insurance cover for losses under...Read more
Watch our video series for information on the legal issues that are affecting the real estate sector. Each...Read more
The pandemic has had a deep and long-lasting effect on the leisure, food & drink sector, forcing operators to embrace new ways of attracting and servicing customers.Read more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
Our countdown to Brexit and beyond podcast series looks at the impact for businesses on both sides of the pond of any free trade agreement between the UK and Europe and the UK and the US. ThisRead more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Acting on all sizes of instructions, from large restructurings to individual creditors.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more