The Brexit transition period ended on 31st December 2020. After that date, the UK became a Third Country in the eyes of the EU and thus transfers of personal data need to be looked at differently. Transfers of personal data from the EU to a Third Country are required under the GDPR to be protected by safeguards in order to ensure “essential equivalence” with EU data protection standards. There are various options in order to comply, as follows:
It was always unlikely that the UK would secure an adequacy decision by 31st December, and there was concern that any business offering goods or services, or monitoring the behaviour of EU individuals, would need to implement SCCs immediately after 31st December.
The good news is that under the UK-EU Trade Agreement finalised on 24th December, whilst adequacy was not awarded, the EU has allowed a grace period of 4 months from 1st January (which can potentially be increased to 6 months and most likely will be) whereby personal data can continue to flow freely from the EU to the UK without the need for further safeguards. The grace period (known in the agreement as the ‘specified period’) will end sooner if an adequacy decision is awarded within the 4/6 months. The UK government has already agreed that data can continue to flow freely from the UK to the EU.
Notwithstanding the above ‘breathing space’ there is no certainty that the EU will award the UK an adequacy decision anytime soon, as they have concerns regarding UK government access to personal data, and there is also some concern that organisations could potentially use the UK as a ‘back-door’ into the USA, thus circumventing the Schrems 2 ruling. Indeed, the Information Commissioners Office (ICO) has stated on 28th December that “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data”. By “alternative transfer mechanisms” in most cases we can read this as SCCs.
It would therefore be sensible for any organisations that offer goods or services or monitor the behaviour of EU individuals to get SCCs in place as soon as possible. Just to clarify what is meant by “monitoring behaviour” Recital 24 of the GDPR states that “In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
Our advice for any companies meeting the above criteria is to prepare SCCs, make some minor adjustments to your documentation to reflect changes in the legislative landscape e.g., the Data Protection Act 2018 and the UK GDPR so that you are well prepared and fully compliant.
Written by Nick Richards, our DPO. For further info on our Data Protection Officer Service click here: https://www.hunningsconsultancy.co.uk/dpo-service-data-protection-officer/
Whilst on this page may we invite you to take a look at our other services (see the drop downs at the top of this page). We provide all round Business Support for Law Firms, everything to allow a busy partner to get on with the client work. We have assisted over 350 law firms, direct access barristers and in house-legal. Everything from Compliance to on your Case Management System (LEAP, Proclaim & Clio), from Mentoring to Setting Up a New Law Firm. Ask about running your firm and we're probably able to help. 07887 524507 or [email protected].