The Brexit transition period ended on 31st December 2020. After that date, the UK became a Third Country in the eyes of the EU and thus transfers of personal data need to be looked at differently. Transfers of personal data from the EU to a Third Country are required under the GDPR to be protected by safeguards in order to ensure “essential equivalence” with EU data protection standards. There are various options in order to comply, as follows:
- An adequacy decision in favour of the Third Country, awarded by the EU, indicating that the data protection regime of that Third Country offers equivalent protection to individuals to that offered under EU regulations
- Standard Contractual Clauses (SCCs) approved by the EU which commit data exporters and importers to agreed, robust standards of protection
- Binding Corporate Rules (BCRs) which can be used by companies for international data transfers between their entities
- Certain derogations which I won’t go into here because they can only be used in exceptional circumstances
It was always unlikely that the UK would secure an adequacy decision by 31st December, and there was concern that any business offering goods or services, or monitoring the behaviour of EU individuals, would need to implement SCCs immediately after 31st December. The good news is that under the UK-EU Trade Agreement finalised on 24th December, whilst adequacy was not awarded, the EU has allowed a grace period of 4 months from 1st January (which can potentially be increased to 6 months and most likely will be) whereby personal data can continue to flow freely from the EU to the UK without the need for further safeguards. The grace period (known in the agreement as the ‘specified period’) will end sooner if an adequacy decision is awarded within the 4/6 months.
The UK government has already agreed that data can continue to flow freely from the UK to the EU. Notwithstanding the above ‘breathing space’ there is no certainty that the EU will award the UK an adequacy decision anytime soon, as they have concerns regarding UK government access to personal data, and there is also some concern that organisations could potentially use the UK as a ‘back-door’ into the USA, thus circumventing the Schrems 2 ruling. Indeed, the Information Commissioners Office (ICO) has stated on 28th December that “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data”. By “alternative transfer mechanisms” in most cases we can read this as SCCs. It would therefore be sensible for any organisations that offer goods or services or monitor the behaviour of EU individuals to get SCCs in place as soon as possible.
Just to clarify what is meant by “monitoring behaviour” Recital 24 of the GDPR states that “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to make decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.” My advice for any companies meeting the above criteria is to prepare SCCs, make some minor adjustments to your documentation to reflect changes in the legislative landscape e.g., the Data Protection Act 2018 and the UK GDPR so that you are well prepared and fully compliant. If you require help with your data protection compliance including preparation of SCCs, then feel free to contact us.
Nick Richards CIPP/E