On 31 December 2020 the transition period for the UK’s exit from the EU ended. For the purposes of EU law this means the UK is now a ‘third country’. This has implications across all areas of law and practice. Here we consider what the UK’s third country status means for the flow of personal data between the UK and countries within the European Economic Area (the EEA) where GDPR applies.
Unlike many other areas where change came immediately after the end of the transition period, data flow rules remain the same for an initial period of four months (this period can be extended). In this period it’s hoped that the EU will arrive at an ‘adequacy decision’ in respect of the UK’s post Brexit data protection framework.
If the EU determines that the UK adequately protects personal data then data should continue to flow as freely as before (subject to all GDPR and other requirements). But if the EU finds UK data protection law ‘inadequate’ then the UK will have to comply with EU GDPR data transfer rules as they apply to third countries.
If the EU decides that UK data protection law does not meet its adequacy requirements the implications for EEA and UK data controllers and processors will be significant. There are however existing mechanisms geared toward mitigating the disruption a ‘not adequate’ decision may lead to. These include SCCs – standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to.
GDPR imposes a legal obligation on controllers and processors to formalise their working relationship. A contract also makes sense from a practical and commercial point of view. It demonstrates that controllers and processors are GDPR compliant, it affords greater protection to consumers and ensures clarity about each side’s role in protecting personal data in the course of their business.
In November 2020 the European Commission published proposed new SCCs, giving organsations a year to implement them. Key features of the proposals include:
We advise a range of businesses on all aspects of data protection law. As we adapt to the post Brexit era it’s crucial that you get expert advice on compliance with GDPR and evolving related legislation. For more information please contact director Shubha Nath at Nath Solicitors on 44 (0) 203 670 5540 or contact the firm online.