As we all know the UK left the EU with effect from 1 January 2021. How does this affect the transfer and processing of personal data in the UK. The Withdrawal Agreement entered into by the EU and the UK regarding the withdrawal of the UK from the EU sets out a certain transitionary period. This transitional period expired as from 1st July 2021, meaning that the UK is treated as a third country with respect to the transfer and processing of personal date. What does this mean in practice for privacy and data protection?
When can personal data be transferred to a third country?
The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) sets out the rules for the transfer of personal data from controllers or processors in the EU to third countries and international organisations, as set out in Chapter V of the GDPR. The main rule is that personal data may only be transferred to a third country in the event that adequate protection level is available.
The Adequacy Decision of the EC regarding personal data
The good news is that on the 28th June 2021, the EU has passed a Commission Implementation Decision, decision on the adequate protection of personal data by the united kingdom – general data protection regulation (Adequacy Decision). The EU Commission has carefully analysed the law and practice of the UK and concluded that the UK ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the EU to the UK. After a period of 4 years, effective from 1st July 2021, the Adequacy Decision will be reviewed by the EU.
What is the Adequacy Decision?
This Adequacy Decision means that there are no consequences for the transfer and processing of personal data between an EU member state and the UK. There is no need to take action and there is no need to use Standard Contractual Clauses, or to use the Binding Corporate Rules (BCRs).
What are the Standard Contractual Clauses?
The EU has developed so-called standard contractual clauses (SCCs) under the GDPR for data transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA. These SCCs have been updated and the EU issued modernised standard contractual clauses on the 4th June 2021.
What are the Binding Corporate Rules?
The BCRs were developed by the UK to allow multinational corporations, international organisations, and groups of companies to make intra-organisational transfers of personal data across borders in compliance with the GDPR. These companies submit the binding corporate rules for approval to the EU.
When do you use Standard Contractual Clauses or the Binding Corporate Rules?
However, any company within the EU which transfers or processes personal data country outside EEA (European Economic Area) needs to obtain “adequate” protection. This means that either the SCCs or BCRs will need be used in order to transfer data from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA.
Schrems II
The SCCs were updated as a result of the Schrems II judgment of the Court of Justice of 16th July 2020. The court ruled that simply entering into SCCs was not sufficient. Each organisation that exports personal data outside the EEA, needs to assess case-by-case whether the legislation of the receiving country meets the protection requirements that is in line with the SCCs.
What are the innovations of the new Standard Contractual Clauses?
The new SCCs provide businesses with an easy-to-implement template and offer a more legal predictability to European businesses. The new SCCs in particular help SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers. The new SCCs covers all transfers in the entire chain from controller to (sub)processor to controller.
The main innovations of the new SCC include the following:
- One single entry-point covering a broad range of transfer scenarios, instead of separate set of clauses;
- More flexibility for complex processing chains, through a “modular approach” and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgments, i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible “supplementary measures” such as encryption, that companies may take if necessary.
In the event that an organisation already uses the old SCCs, a transitionary period of 18 months is provided within which the new version of the SCCs need to be used.
Are you looking for an lawyer experienced in the international aspects of privacy law, or if you have any queries or questions relating to the processing or transfer of personal data to a third country, please contact Madelon van Breemen.
