After a period of uncertainty for the UK leading up to its exit from the European Union at the end of 2020, last week the ICO provided some insight into what personal data flows between the EU and the UK will look like in the short-term.
Until adequacy decisions allowing GDPR-compliant transfers of personal data between the EU and the UK have been adopted, the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK in the short-term. This will be in place for no more than six months. Equally, the UK has deemed on a transitional basis that the EU and EEA are adequate for the purposes of personal data flows from the UK.
The ICO has recommended that UK businesses working with EU and EEA organisations in a way that involves personal data transfers should put in place alternative transfer mechanisms to safeguard against any interruption to data flows should the position change following this interim period.
For the majority of small or medium organisations, the most straightforward and effective way to put appropriate safeguards in place and to ensure compliance is to incorporate standard contractual clauses ("SCCs") into the contract between the UK and EU/EEA organisations. For larger organisations, it is recommended that existing contracts and processes are reviewed to ensure UK/EU transfers are appropriately categorised as "international" transfers, at least until an adequacy decision is made.
This guidance from the ICO fits with the general position that in the short term from a data protection perspective, the UK will continue to operate in a similar manner. The Data Protection Act 2018 continues to set out the framework for data protection law in the UK. It now sits alongside the UK GDPR (UK version) and what is now referred to as the "frozen GDPR" (EU version). The European Union (Withdrawal) Act 2018 incorporated the GDPR into domestic UK law, renamed as the "UK GDPR" by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419, with UK GDPR sitting alongside the DPA 2018. However, any changes made by the EU to the GDPR will not automatically carry through to the UK, with the UK GDPR and the Data Protection Act 2018 now being the key points of reference going forward.
We explored some of the key considerations in our pre-Brexit paper Will the UK be ‘adequate’ in 2021? : Clyde & Co and we will be watching as the position develops.
As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.