This article was co-authored by Sheena Purohit, Trainee Solicitor, London.
This is a developing topic and this article is current at 29 March 2021. We will provide a more detailed update on the data flow developments and their impacts later in the year.
On 19 February 2021, the European Commission announced a proposal to issue the UK with a data adequacy decision in respect of personal data transfers under the EU General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED).
The bridging mechanism that currently allows personal data transfers from the EU/EEA to the UK to continue unaffected expires on 30 June, therefore the proposal is a welcome step to ensuring continued data flow beyond this date. The draft decision by the Commission suggests that the Commission recognises the UK as having an equivalent level of protection to that under GDPR and LED. The Commission's draft decision will be reviewed by the European Data Protection Board and, if approved by representatives of the member states’, the adequacy decisions may be issued.
Adequacy findings will need to be future proof and therefore any adequacy decisions adopted would be valid for an initial four-year period following which the decision may be renewed if the level of protection is still deemed to be adequate. The cap on any initial adequacy period is an unsurprising and necessary step to ensure the data regulations are still adequate, taking into account any updates in legislation and other developments in this period.
As 2020 was finally drawing to an end, many of us wondered whether the much talked about ‘no-deal’ Brexit would become a reality after many failed negotiations between the UK and EU. With just days before the completion deadline, it was announced on 24 December that an agreement had finally been reached between the parties (some might say it was a Christmas miracle!).
Known as the Trade and Co-operation Agreement, implemented by the European Union (Future Relationship) Act 2020, the instrument sets out the new arrangements to commence on 1 January 2021 upon expiry of the Brexit transition period at 11pm on 31 December 2020.
The management and handling of data flows from the EU and EEA states (Norway, Iceland and Liechtenstein) into the UK is one of many issues dealt with by the agreement and one which many UK SMEs have eagerly been awaiting a definitive decision on.
As the UK has now officially left the EU, the EU GDPR no longer has direct application in the UK which has now gained full control over its data protection laws. As such, from 1 January 2021, UK businesses will be covered by the UK data protection regime which incorporates the GDPR into UK law (known as ‘UK GDPR’) alongside the Data Protection Act 2018. Any data flowing from the EU/EEA to the UK however will still need to comply with the EU data protection laws until an adequacy finding is reached which will allow the continued free flow of data from the EU/EEA to the UK.
While an adequacy finding remains to be reached, the agreement sets out an interim provision known as a ‘bridging mechanism’ which will last for a maximum of six months. The bridging mechanism allows personal data transfers from the EU/EEA to the UK to continue unaffected. However, this is only so long as the current UK data protection regime continues to apply.
This announcement comes as good news to UK SMEs processing personal data from the EU who can now breathe a momentary sigh of relief, however the Information Commissioner’s Office (ICO) issued a statement on 28 December 2020 advising organisations to take precautionary steps to ensure that alternative transfer mechanisms are adopted to avoid any potential interruption to data flows.
Although the bridging mechanism gives SMEs six months’ breathing space, allowing the flow of personal data into the UK from the EU to continue for the time being, it will not do so indefinitely. While we all hope that the EU Commission will make an adequacy finding in the UK’s favour, there is the risk that it may not. So, just as businesses prepared themselves for the implementation of GDPR in 2018, it is once again time for SMEs to take stock and put measures in place to avoid any potential interruptions to the free flow of data that many businesses rely on (although this time the changes should be more minor in nature).
SMEs and SCCs
SMEs who receive data from the EU/EEA have been advised by the ICO to put in place alternative transfer mechanisms as a precautionary measure to avoid any interruption to the free transfer of data. There are various measures businesses can take including implementing the Standard Contractual Clauses (SCCs), implementing Binding Corporate Rules or using one of the derogations available in the GDPR. For SMEs, the best option will likely be to put in place SCCs which allow data to flow freely on EU approved terms.
SCCs are essentially a set of standard terms and conditions entered into by the sender and recipient of personal data in order to help protect personal data being sent outside of the EU/EEA and outside the jurisdiction of the GDPR.
The ICO has helpfully published an interactive tool on SCCs to assist SMEs to understand and select the correct SCCs to allow them to maintain the flow of data from the EU and can be found here.
SMEs that send data from the UK to the EU/EEA only are not affected and do not need to take any additional steps as the UK Government has confirmed that such transfers are not restricted and SMEs do not need to take any additional steps.
Top tips for SMEs:
Related item: The Free Trade Agreement – implications for SMEs