I blogged previously on changes to data protection at the end of the transition period – 11 pm on 31 December 2020.
I advised UK organisations who received personal data from Europe that any transfers of personal data to them from 1 January could only occur if the European GDPR allowed it. I advised organisations to look at entering in to ‘Standard Contractual Clauses’ with organisations in Europe who they rely upon to send personal data to the UK.
That advice needs to be revised as on Christmas Eve the UK reached a Trade and Cooperation agreement with the EU. Part of the agreement related to the continued flow of personal data from Europe to the UK.
The deal will be welcomed but it has not permanently resolved the issue of how personal data can lawfully flow from Europe to the UK- it just kicks the can down the road for a period of four (possibly six) months. During that period the EU has agreed that personal data can be sent to the UK as before. In return, the UK is not allowed to exercise certain powers that it would have been able to exercise such as to recognise other countries as having adequate data protection or to issue its own version of the above Standard Contractual Clauses [SCC’s].
The UK is still hoping to secure a finding of ‘adequacy’ from the EU. This is a formal recognition that the UK’s data protection regime meets the standards required by Europe. Securing such a finding at all, never mind within the next few months, is not guaranteed. As before organisations may wish for certainty and speak to those who they have relationships within Europe about entering into SCC’s to ensure that personal data can continue to be sent to the UK after the end of the above extension period.
So, what is the law now?
When the transition period ends the European version of the GDPR will be retained into UK law but will be immediately amended. What results will be known as the UK GDPR. There will also be changes made to the UK’s Data Protection Act of 2018. This Act supplements the GDPR. Organisations will need to comply with both of these laws when processing personal data as well as others such as the 2003 privacy regulations that deal with, amongst other issues, ‘cookies’ and marketing by electronic means.
What about sending personal data out of the UK?
UK legislation sets out how personal data can be lawfully sent out of the UK.
It can be sent to Europe (except Switzerland) as before.
It can also be freely sent to all of the countries that the EU previously deemed to have adequate data protection regimes. These are Andorra, Argentina, Canada (commercial organisations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, New Zealand, Switzerland, and Uruguay. As regards sending personal data to the UK many of these countries have already made declarations that regardless of the end of the transition period they will still send personal data as before.
The UK has also recognised the use of the current EC approved SCC’s as an appropriate safeguard if sending personal data out of the UK [disregard Europe and the countries listed above] or, for larger organisations who have a number of companies within a group, the use of what are known as Binding Corporate Rules.
Has the European GDPR gone for good?
No – UK organisations who offer goods/ services to individuals in Europe (or monitor them) must still comply with the European GDPR and, as such, may need to appoint an EU Data Protection Representative.
What about the UK GDPR?
Organisations outside the UK who offer goods/services to individuals in the UK (or monitor them) need to comply with the UK GDPR and may need to appoint a UK Data Protection Representative.