We’ve all been waiting with bated breath to see whether the EU will allow EU-to-UK data transfers to enjoy the pre-Brexit freedoms we have all become used to.
The journey isn’t over yet but the Commission has just published a draft ‘Decision’ which, if approved by both the European Data Protection Board (which will need to give its “opinion”) and a committee of the European Parliament will mean that businesses handling regular EU-UK processing can relax a little, safe in the knowledge that the UK’s data protection regime is still on a par with that of the EU.
This is perhaps not surprising given that the new “UK GDPR” is based on “retained EU legislation”. But, in politics, of course, nothing is ever quite certain.
Just to give you some of the history and an insight into how these things are handled in Brussels, here are some extracts from the Commission’s draft legal text.
“As of 1 January 2021, transfers of personal data to the United Kingdom are governed by the EU-UK Trade and Cooperation Agreement (TCA), agreed by EU and UK negotiators on 24 December 2020 and provisionally applicable since the first day of the year. The [TCA] provides for an interim regime (so-called ‘bridging clause’, enshrined in Article FINPROV.10A of the TCA) that ensures the full continuity of data flows between the EEA and the UK, with no need for companies and public authorities to put in place any transfer tool under the GDPR… This solution is applicable for a period of maximum six months, and is conditional on the commitment by the UK not to change the data protection regime currently in place. In essence, this means that the UK must continue to apply the data protection rules, based on EU law, that were applicable during the transition period.”
Draft Article 1 of the proposed Decision would therefore read-
For the purposes of Article 45 of Regulation (EU) 2016/679 [GDPR], the United Kingdom ensures an adequate level of protection for personal data transferred within the scope of Regulation (EU) 2016/679 from the European Union to the United Kingdom. “
So it’s a step in the right direction and one that suggests we perhaps won’t have to resort to the costly and time- consuming burden of putting in place Standard Contractual Clauses or Binding Corporate Rules (BCRs) as the alternative means ensuring adequate protections for data.
Over now to the EDPB and European Parliament for what we hope might be a fairly prompt confirmation of the Decision.
Tim Heywood FRSA is a Partner at Gunnercooke llp specialising in data protection, cyber and information law.
The contents of this note are intended for general guidance purposes only and are not legal advice. No reliance should be placed on the guidance and we accept no liability for any reliance placed upon it. Specific legal advice should always be obtained in relation to your particular circumstances.
Wir verwenden Cookies, um Inhalte und Anzeigen zu personalisieren und die Zugriffe auf unserer Webseite zu analysieren. Sie können sich jederzeit gegen die Verwendung von Cookies entscheiden.AnnehmenAblehnenMehr erfahren
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.