The Latest Brexit Stories On Data Protection And Cybersecurity

Allen & Overy LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Allen & Overy LLP

13 January 2021 – EU supervisory authorities response to UK cross-border transfers

Following the finalisation of the TCA, a number of supervisory authorities in the EU issued statements in response. In addition, on 13 January 2021, the European Data Protection Board (EDPB) issued updated versions of its Brexit information note and statement. The amendments in both documents reflect the provisions of the TCA allowing free flow of personal data from the EU and EEA countries to the UK during a period of six months during which the European Commission is expected to adopt an adequacy decision in relation to the UK.

The information note is available here and statement here.

31 December 2020 – Redline versions of UK GDPR and DPA 2018 and updated ICO guidance

On 31 December 2020, the UK Department for Digital, Culture, Media & Sport published updated redline versions (so-called “Keeling Schedules”) for both the UK GDPR and the Data Protection Act 2018. Keeling Schedules are prepared by the UK Government for illustrative purposes, setting out a conformed version of legislation that has been amended by various statutory instruments, making it easier to read and understand. In this case, the Keeling Schedules illustrate the Brexit-related changes made to the UK GDPR and the Data Protection Act 2018 by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.

The UK’s supervisory authority, the Information Commissioner’s Office (ICO) published updated guidance for controllers and processors reflecting the situation after 1 January 2021, including the interim provisions of the TCA. The ICO has noted that the key principles, obligations, and rights under UK data protection law do not change as a result of Brexit.

The Keeling Schedules are available here. The ICO guidance is available here and here.

31 December 2020 – Cybersecurity cooperation and obligations under NIS Directive

With regard to cybersecurity, the TCA makes provision for cooperation between the EU and the UK with a view to exchanging information, sharing best practice and taking cooperative action to promote and protect cyberspace. This cooperation is envisaged to occur through international bodies and forums as well as between the CERT-EU and UK computer emergency response teams; the EU Cooperation Group and UK national authorities (on invitation and voluntarily); and ENISA and the UK (on invitation and voluntarily, with financial contribution).

The EU Network and Information Systems (NIS) Directive provides a framework to improve network and information security in the EU. The NIS Directive applies to certain entities designated as operators of essential services (OES) and digital service providers (e.g. online marketplaces or cloud computing services) (DSPs).

Starting 1 January 2021, DSPs based in the UK that offer services in the EU must, amongst others, appoint a representative in the EU Member State where they offer services. DSPs offering services in the EU that are established neither in the EU nor the UK but had previously their representative registered in the UK, will need to appoint a representative in the EU.

Similarly, DSPs based in the EU (or in other third country) that offer services in the UK must appoint a representative in the UK by the end of March 2021.

The guidance of the European Commission is available here. The guidance of the UK government is available here for UK-based DSPs and here for non-UK DSPs.

24 December 2020 – Free flow of personal data can continue for up to six months

On 24 December 2020, the EU and UK agreed, as part of the UK-EU Trade and Cooperation Agreement (TCA), that personal data can continue to be transferred freely from the EU/EEA to the UK for an additional period of up to six months. During this time, the European Commission will consider adopting an adequacy decision for the UK.

If an adequacy decision has not been adopted by the European Commission by the end of this six-month period, then any transfers of personal data from the EU/EEA to the UK will be considered third country transfers and appropriate data transfer mechanisms will need to be implemented. The UK Information Commissioner recommends that, as a sensible precaution, before and during this transitional period “businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data”. The UK has already deemed the EU/EEA to provide adequate protection to allow transfers of personal data from the UK to the EU/EEA.

The Trade and Cooperation Agreement is available here. The statement by the UK Information Commissioner is available here. Allen & Overy has published a summary of the most important takeaways of the TCA for business, available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Allen & Overy LLP | Attorney Advertising

Written by:

Allen & Overy LLP
Allen & Overy LLP
Contact
more
less

Allen & Overy LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide