05/07/21 (updated) – As part of the Trade and Cooperation Agreement the EU and the UK agreed a six-month ‘bridging period’, allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021, to give the European Commission enough time to adopt the adequacy decisions which are necessary to allow personal data to continue to flow from the EEA to the UK. (If you’re not sure what I’m talking about, then you catch up here and here.)
Anyway, good news. With a full two days to spare, the Commission formally adopted the adequacy decisions for the UK on 28th June – one for transfers of personal data under the GDPR and the other under the Law Enforcement Directive. As a result personal data continues to flow freely from EEA countries to the UK after the end bridging period.
Unlike the adequacy decisions adopted by the Commission for other third countries, the ones adopted for the UK have ‘sunset clauses’ which means that, unless renewed by the Commission, the decisions automatically expire in four years’ time. Furthermore, the Commission can intervene at any time during the four-year period if it considers that changes to UK law reduce the level of protection currently in place.
Tags: adequacy decision, data protection, gdpr, SCCs, sunset clause, third country, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
05/05/21 – If your organisation does not transfer personal data to ‘third countries’, i.e. countries outside the EEA that do not have a UK adequacy finding, then breathe a sigh of relief and feel free to go and do something else. If, however, your organisation does transfer personal data to a ‘third country’ (which for these purposes includes the U.S.), then this is likely to be relevant to your data processing arrangements.
During an IAPP/LinkedIn Live event last week, the European Commission’s Head of International Data Flows and Protection, Bruno Gencarelli, explained that the delay to the adoption of the EU’s new Standard Contractual Clauses (New EU SCCs) is principally due to the volume of feedback that the European Commission has received since the publication of the draft New EU SCCs last November. However, according to Mr Gencarelli, it is now ‘a question of weeks‘ until the New EU SCCs are adopted by the Commission.
Most privacy lawyers – including me – have been assuming that once the New EU SCCs are adopted by the Commission, then the UK’s ICO will adopt pretty much identical standard contractual clauses for UK data exporters. This assumption has been based in part on the ‘copy & paste’ approach that the UK has so far taken to incorporating the EU GDPR (and for that matter the existing EU SCCs) into UK law, and in part on the fact that the UK is currently looking to secure a ‘clean’ EU adequacy decision while fully aware of the importance that the EU attaches to maintaining ongoing alignment of the EU and UK data protection frameworks.
It therefore came as a bit of a surprise when the ICO’s Deputy Information Commissioner, Steve Wood, announced today that the ICO ‘is working on bespoke UK standard clauses for international transfers, and intend to go to consultation on them in the summer‘. No details yet, but the message is clear – if you’re expecting the UK’s new SCCs to be a ‘copy & paste’ of the EU’s New SCCs, then don’t. And in terms of timing, it looks like UK data exporters may have to wait for another few months before they have access to updated SCCs for their transfers.
Part 2 to follow as soon as we have some more detail.
Tags: adequacy decision, data protection, gdpr, SCCs, Standard Contractual Clauses
Posted in Privacy, Updates | No Comments »
15/04/21 – If you’ve been following the progress of the UK adequacy decisions (see updates from December 2020 and March 2021), you will know that we have been waiting for the European Data Protection Board’s opinions on the draft UK adequacy decisions. As per the EDPB’s press release yesterday, these opinions have now been adopted.
Although the full texts are not yet available, the press release suggests that the EDPB’s opinions broadly supports the adequacy decisions, noting that the UK has “for the most part” mirrored the GDPR and the Law Enforcement Directive in its data protection framework, and that as a result many aspects of the UK’s law and practice are “essentially equivalent”.
However, the EDPB also emphasises that the alignment of the EU and UK data protection frameworks must be maintained going forward, and welcomes the European Commission’s decision to limit the duration of the adequacy decisions (to 4 years). The EDPB also urges the Commission to closely monitor how the UK applies restrictions to onward transfers of EEA personal data, including transfers pursuant to adequacy decisions adopted by the UK, international agreements concluded between the UK and third countries, or derogations.
Next step is for the adequacy decisions to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’, following which they can be adopted by the Commission. I will keep you posted.
Tags: adequacy decision, brexit, data protection, data transfer, EDPB, gdpr
Posted in Privacy, Updates | No Comments »
30/03/21 – As part of the Trade and Cooperation Agreement announced just before Christmas, the EU and the UK agreed a six-month ‘bridging period’ allowing transfers of personal data from the EEA to the UK to continue freely until 30th June 2021 – more detail here. Half-way through the bridging period is probably a good time for an update.
Update? Didn’t I read a few weeks ago that the EU issued the UK adequacy decision, and it’s now all done and dusted?
No, not really. What happened is that on 19th February 2021 the European Commission issued two UK adequacy decisions (one for transfers under the GDPR, and the other for transfers under the Law Enforcement Directive), but only in draft form. The drafts have now been passed to the European Data Protection Board (EDPB) for them to review and issue their non-binding (but influential) ‘advisory opinions’. After the advisory opinions have been issued, and any EDPB-recommended changes have been incorporated into the text of the adequacy decisions, the drafts will then need to be approved by representatives of all 27 EU member states via the so-called ‘comitology procedure’. Once approved, the adequacy decisions can be formally adopted by the Commission, and become legally effective.
Ah, so not quite done and dusted. Will this all be wrapped up by 30th June?
Probably. The good news is that the draft adequacy decisions were issued by the European Commission without any material conditions attached to them, i.e. the Commission considers that the UK’s data protection laws and systems are adequate. Also positive was the prediction of the EU Head of International Data Flows, Bruno Gencarelli, who said in a LinkedIn webinar on 27th January 2021 that he was confident the UK adequacy decisions would be adopted “by the end of the bridging period”. Ditto the prediction of the EU Commissioner for Justice, Didier Reynders, who, according to Vincent Manancourt of politico.eu, said on 16th February 2021 that the EDPB’s “opinion on UK data flows decision [is] expected mid-April […] Whole process to be wrapped up by Brussels by end of May/early June”.
Less positive were the widely-publicised comments of the UK culture secretary Oliver Dowden, who in his FT article on 27th February said: “we do not need to copy and paste the EU’s rule book, the General Data Protection Regulation, word-for-word”; and that the UK can now be more “agile” when it comes to “[striking] our own international data partnerships with some of the world’s fastest growing economies. […] The EU has been slow to act on this, declaring only 12 countries ’adequate’ in the past few decades”. Announcing the UK’s intention to diverge from the GDPR and criticising the EU’s historic approach to adopting adequacy decisions, all while the EDPB is busy considering the UK’s application, may not have been Mr Dowden’s best idea.
All very interesting, but I’ve got data flows with EU customers and other data partners which need to continue after 30th June. What do I need to do?
You’ve got a number of options, including:
Tags: adequacy decision, brexit, EDPB, gdpr, SCCs, TCA
Posted in Privacy, Updates | No Comments »
22/02/21 – On 19 February 2021 the European Commission published two adequacy decisions, one for transfers of personal data to the UK under the GDPR and the other under the Law Enforcement Directive. Although perhaps not surprising, this is still a positive step because it means the Commission has concluded that the UK does ensure an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive, including in relation to the rules for data access by public authorities.
What happens next?
The European Data Protection Board (EDPB) will now review and provide its (non-binding) opinion on the draft decisions. Representatives of each EU member state will then be asked to approve the adequacy decisions (the so-called ‘comitology procedure’) before the decisions are adopted by the Commission. In the meantime data can continue to be transferred from the EEA to the UK under regime set out in the UK-EU Trade and Cooperation Agreement, as discussed in my article UK-EU data transfers from 1st January 2021 – where are we? If the draft adequacy decisions are adopted, they will be valid for four years, following which they will be renewed if the level of protection in the UK continues to be adequate.
Tags: adequacy decision, data protection, data transfer, gdpr, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »
29/12/20 – Prior to the announcement of the EU-UK Trade and Cooperation Agreement [1], I was having to explain to a client that it was looking increasing likely that, from 1st January 2021, transfers of personal data from organisations located in EEA countries to the UK would no longer be lawful. (more…)
Tags: adequacy decision, data protection, gdpr, TCA, third country, Trade and Cooperation Agreement
Posted in Privacy, Updates | No Comments »