Since the UK left the EU on 31 December 2020, the UK has been governed by the UK GDPR, which replaces the EU GDPR. This article covers the changes.
The UK GDPR sits alongside other key UK data protection laws. The UK GDPR is nearly identical to the EU GDPR with the same data protection rights, principles and obligations. However, the UK now has independence to review and amend the framework.
UK GDPR & data transfers
If you transfer personal data outside the UK, data transfer requirements should be at the forefront of your mind. In this article, we have set out some key considerations for those who are transferring personal data to and from the UK.
The UK is now classified as a “third country” to the EU. The EU GDPR restricts transfer of personal data to third countries, unless they are granted adequacy, a status granted to countries that can provide a comparable level of personal data protection to EU law. Once approved, information can pass between the third country and the EU without additional safeguards.
The European Commission published its adequacy decisions for transfers under the EU GDPR and the Law Enforcement Directive earlier this year in respect of the UK. Both adequacy decisions are expected to last until 27 June 2025 and the European Commission will start work later in 2024 to decide whether to extend the adequacy decisions for the UK for a further period up to a maximum of another four years. If they don’t extend the decisions, then they will expire on 27 June 2025.
The decision does not mean that we will maintain adequacy until 27 June 2025. The European Commission continues to monitor the UK data protection regime to ensure that equivalent standards are maintained. This is particularly topical as UK government is currently consulting on changes to its data protection regime. Such changes could cause adequacy to be revoked if the changes are deemed by the European Commission to represent a decline in standards. You can read more about the UK government proposals here.
Standard Contractual Clauses (“SCCs”) are another means of implementing additional safeguards when transferring data to and from the UK. They are widely used mechanisms to enable international data transfers and have become vital to transfers between the UK/EEA and the USA following Schrems II and the invalidity of Privacy Shield (detailed below).
The European Data Protection Board recently approved new SCCs; however, due to timing of publication, the new SCCs do not form part of the EU retained law post-Brexit. This means that ‘existing’ SCCs apply. The ICO has published its plans for a new post-Brexit transfer framework to replace the EU’s SCCs, with the new regime expected shortly.
It is important to flag that the EU-US Privacy Shield has been declared invalid by the European Court of Justice (CJEU). Please refer to our article on Privacy Shield for more information on this decision. If you are transferring or receiving data from the US, it is important to take specialist advice from a data protection lawyer. At Stephens Scown, we have a specialist data protection team on hand to assist with such enquiries.
UK GDPR & data transfer preparation
Anyone who transfers personal data to and from the UK must comply with the statutory requirements under the UK GDPR and the applicable data protection laws – by way of example, this includes ensuring that privacy policies are compliant and that parties transferring data have compliant data processing agreements in place. They must also be aware of the possibility for further change on the horizon.
For specialist advice on your obligations under UK data protection laws, please do get in touch with our expert Data Protection team who can assist you.