Brexit and data transfers hoping for a seasonal miracle

Viewpoints
December 1, 2020
2 minutes

I do not know if Elizabeth Denham, the UK's Information Commissioner, has written her letter to Santa this year but, if she has, I wouldn't be surprised if she asked for an EU adequacy decision allowing for free data flows to carry on into 2021.  

In her letter to the Financial Times this week, she was clear that this is not guaranteed.  However, she stopped short of publicly hoping for a Christmas miracle.

The failure of the UK to secure an adequacy decision during the Brexit negotiations won't impact UK firms transferring personal data to the EU, as these data flows are deemed to be adequately protected under the Data Protection Act 2018.

However, without an adequacy decision, data flows from the EU to the UK will no longer be possible, unless additional measures are made to protect the data.  This would impact many organisations and their processing of all types of personal data, from HR records and directories, to customer lists and shareholder registers. It will also apply where data from the EU is on cloud services in the UK. 

Elizabeth Denham urges organisations to be prepared.  For most, this means taking immediate action to identify one of the statutory derogations, obtaining individual consents, or entering into standard contractual clauses to ensure the data flows remain lawful. 

At present, most transfers of personal data from the EU rely on the EU Commission's standard contractual clauses. However, the effectiveness of these was called into question earlier this year, when the European Court of Justice made clear in its Schrems II decision that the use of the clauses is only valid where there has been assessment of the jurisdiction to which the data will be transferred and where necessary supplemental measures are put in place by the parties to ensure the adequate protection of the data. 

This has had organisations scrambling to review contracts and add new measures, but without clarity on what the measures really need to be in order to mitigate risk.

Two weeks ago the European Data Protection Board published its draft recommendations on the supplemental measures, which were immediately followed by the draft of the EU Commission's new version of the standard contractual clauses.  Both documents are helpful and may allow organisations to address the transfer issue.  However, both drafts are unlikely to be agreed before the 31 December deadline. 

So what are organisations to do? Should they really act immediately and put in place a set of contractual clauses aware that if the new drafts are approved they will need to update within a year? Or should they take a risk-based approach hoping that the new standard contractual clauses are approved before year end, or even that the UK negotiates adequacy as part of the final deal?

To wait for adequacy or the new clauses is not without risk and could result in non-compliance on New Year's Day.  But the risk may be low, as it compares to currently transferring data under un-supplemented standard clauses.

Risks aside, there is always the miraculous hope of adequacy being granted or the new clauses be approved, and at least we are in the right season for miracles.