You may have noticed recently that the UK has decided to leave the European Union, in a process commonly known as Brexit.
We posted a blog article earlier this month on the changes to data protection resulting from Brexit, and now that a treaty has been agreed at the eleventh hour between the EU and the UK we felt an update was appropriate.
The main issue that was outstanding in the area of data protection was whether the EU would grant an adequacy decision to the UK. This would mean that transfers of personal data from the EU to the UK would be allowed without putting any additional safeguards in place. The treaty still doesn’t answer this question; what it does instead is provide for a four month grace period (also being referred to as a “data bridge”), extendable by a further two months (indications are that this is very likely to happen), to cover such transfers, as long as the UK doesn’t make any significant changes to its laws or exercise many of the provisions made within them.
During this time, the question of UK adequacy will still be considered by the EU. If it is granted then the grace period will end. If it is not granted at the end of the six month period, then in theory we enter a situation where the UK is considered an “inadequate” country for transfer purposes, and appropriate safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) may be required.
The results of the EU’s deliberations are by no means a foregone conclusion; some would say that a refusal by the EU to grant the UK an adequacy decision, given that the UK has decided to adopt data protection laws very similar to the EU (the UK GDPR), would be hard to justify, and would make it more difficult for such decisions to be made in favour of other countries that are also being considered. On the other hand, the recent Schrems II judgement by the European Court of Justice which destroyed the EU US Privacy Shield scheme may make such adequacy decisions harder because it places a brighter spotlight on government use of personal data.
If your organisation currently transfers personal data from the EU to the UK, you now have a further six months to think about how best to justify it. You could cross your fingers and hope that the EU makes that adequacy decision, or you could start now to plan a contingency (if you haven’t already) to cater for the situation where the decision doesn’t go the UK’s way. I think I know which I would do.
As a last note, it’s worth making the point that this grace period doesn’t affect the need to appoint a representative in the EU and/or the UK to deal with data subjects and supervisory authorities. CertiKit has partnered with DataRep who provide such services, so get in touch with us at [email protected] and we can give you a discount code for 10% off their rates.