Transferring Personal Data from the EU to the UK: Interim Solutions

Mintz - Privacy & Cybersecurity Viewpoints
Contact

Mintz - Privacy & Cybersecurity Viewpoints

The new 1,246-page Trade and Cooperation Agreement (TCA) between the United Kingdom and the European Union has ended the suspense over what restrictions will apply to the transfer of personal data between the EU and the UK now that the Brexit transition period has run its course. As expected, the UK has chosen to allow UK personal data to be transferred to the EU freely on the basis that the EU’s GDPR provides adequate protection for the transferred data. But the EU has not yet agreed that EU personal data can be transferred freely to the UK.

Instead, a grace period of four to six months will apply to EU to UK transfers while the European Data Protection Board and European Commission evaluate whether the UK’s Data Protection Act 2018 provides adequate protection to EU personal data. On its face, this looks like an easy call to make since the UK’s Data Protection Act 2018 literally incorporates the EU GDPR. However, now that the UK is no longer in the EU, it’s possible that EU decision-makers will raise objections on the basis of the UK’s national surveillance laws, as they have in the case of the US. So a reciprocal adequacy decision is not guaranteed.

That leaves organizations that want to transfer personal data from the EU to the UK with a minor dilemma – should they work on the assumption that, before the end of the grace period, the EU will decide that UK data protection laws are adequate, or plan for the worst? The UK ICO has recommended that organizations start taking steps now to put “alternative safeguards” in place to ensure that data transfers can continue uninterrupted in the event that the EU does not reach a positive decision before the end of the grace period.

The most commonly used alternative safeguard is the Standard Contractual Clauses (SCCs) – form contracts that have been approved by the European Commission. But the SCCs themselves are currently under review by the Commission, which raises the next question: Use the current SCCs, or wait a few weeks – or more – to see if the Commission has approved the new SCCs? (See our previous blog post here discussing the new SCCs.) Unfortunately, we don’t know yet when we can expect a Commission decision adopting the new SCCs.

The downside of using the current SCCs is that if the EU does not grant the UK an adequacy decision, then parties to the current SCCs will need to put the new SCCs in place within one year of their adoption – so you will go through the entire SCC exercise twice within a year or so. The downside of waiting to see if the new SCCs are approved is that waiting will shorten the time left before the end of the data transfer grace period, so you could end up in a last minute scramble to get SCCs in place. Either way, there will be some time and effort involved – and a small gamble one way or the other.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.