The new UK GDPR now applies. The UK has, on a transitional basis, deemed the EU and EEA EFTA States to be adequate to allow for data flows from the UK.
Transfers from the EU to the UK can continue for up to six months under the provisions of the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”), subject to certain provisions.
Privacy notices, terms and possibly other documents will need review, though amendments may not be substantial. UK legislation will no longer count as a ‘legal obligation’ for purposes of data processing in the EU, and likewise EU legislation will no longer count as such in the UK.
Firms will need to consider whether they need to appoint an EU representative if they do not have an establishment there and are offering services to individuals in the EEA or monitoring the behaviour of individuals in the EEA.
Meanwhile, reliance on Standard Contractual Clauses (SCCs) as a basis for international transfers remains a live issue following the decision in Schrems II (see our September 2020 Risk Update and link on www.legalrisk.co.uk/News) and the European Commission’s consultation on the revised SCCs (see www.legalrisk.co.uk/News). These are under review by the Information Commissioner’s Office.
Firms will need to review their arrangements for transfer of data to third countries, and note that following the Schrems II the European Data Protection Board recommended that firms conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere.
Questions have been raised as to whether it is in practice possible to rely on the SCC transferring data to the USA because of the provisions of Section 702 of the Foreign Intelligence Surveillance Act (FISA 702 – “Procedures for targeting certain persons outside the United States other than United States persons”) and Executive Order 12333 (“United States intelligence activities”), but there are reasons to suggest that that may not be a problem in practice so far as law firms are concerned.
Data protection legislation, cases and guidance can be found on www.legalrisk.co.uk/Data.‹ Back to Publications