Jan 4th 2021 UPDATE: It turns out that the UK-EU Trade Agreement and the delay to EU to UK restricted data flows (i.e. the decision on adequacy) only affects EU to UK data flows. It does not affect any other aspect of extra-territorial reach of GDPR, so (and the post below is updated at the end to reflect this), this means now that the Brexit transition period has ended:
- You don’t need to worry about having Standard Contractual Clauses in place until a decision is made about UK adequacy
- You do still need to put in place an EU Representative if you are selling products and services to EU individuals
- You do still need to worry about the loss of the one-stop-shop approach to the appropriate authority
So, it would seem that the ICO’s statement on 28th December, which included the sentence “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices” isn’t as broad as I first thought!
— update ends —
On Christmas Eve (2020) the UK government reached a trade agreement with the EU.
There has been over the last year of the Brexit transition (which ends on the 31st December) concern about what this means for data protection compliance. As I’ve posted before this essentially means from 1st January 2021, organisations that process EU data are likely to be impacted:
- Lack of an adequacy decision could mean the need for Standard Contractual Clauses between UK data controllers and EU data processors
- UK businesses targeting products and services to EU individuals or monitoring EU individuals’ behaviours may need to appoint an EU representative
- UK businesses that process data of EU citizens are likely to be answerable to ICO and other EU equivalents (i.e. the loss of the so called “one stop shop”)
Title III, Article DIGIT.6 and Article DIGIT.7, of the agreement specifically address cross-border data flows and the protection of personal data and privacy. Plus Article DIGIT.14 relates to controls over unsolicited direct marketing. But, actually data protection related commentary is spread throughout the agreement (and difficult to find without working your way through he agreement).
Some breathing space for GDPR
Overall, there are no surprises. Each party, recognises the need for data protection, but for it not to hinder trade and protect citizens from unsolicited marketing. When it comes to an agreement around UK data protection adequacy (the EU test that UK data protection law protections EU citizens’ data in the same way EU GDPR does) you have to look in the separate Declarations:
DECLARATION ON THE ADOPTION OF ADEQUACY DECISIONS WITH RESPECT TO THE UNITED KINGDOM
The Parties take note of the European Commission’s intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK under the General Data Protection Regulation and the Law Enforcement Directive, and its intention to work closely to that end with the other bodies and institutions involved in the relevant decision-making procedure.
A grace period for GDPR compliance
For the time being, the most important bit in the Agreement though, is “Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom” which sets out that for a “specified period“:
transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law
This is providing the UK does not renege on its current agreement to adopt EU GDPR into UK law.
The “specified period” runs from 1st January 2021 for up to 4 (although can be extended to 6) months unless an adequacy decision is reached before that time.
So, what does this mean from 1st January 2021?
So, it seems that work is still afoot for determining UK adequacy. If adequacy is achieved then transfers to the UK of EU data will not be restricted and the Standard Contractual Clauses will be needed. But EU representatives and potentially the loss of a regulatory authority “one stop shop” are likely to remain, so if you haven’t already you will need to consider (if you’re impacted) how you’re going to appoint such a representative.
However, there is no certainty about when we’ll see an adequacy decision and it seems there is still a risk that after 4 months (or maybe 6) no adequacy materialises and we’re back to needing those Standard Contractual Clauses as well as everything else.
So, what does this mean for you in the interim?
- Everything continues as it has been under the Brexit transition until either 4 months is up or an adequacy decision is reached meaning:
- You don’t need to worry about Standard Contractual Clauses
- You still need to worry about EU representation
- You still need to worry about the loss of the “one stop shop” regulatory regime
Providing cost-effective, simple to understand and practical GDPR and ePrivacy advice and guidance, via my one-stop-shop helpline. I ❤️ GDPR