Turning briefly to data privacy developments on the other side of the pond, in a draft adequacy decision reported to have been seen by the Financial Times, the European Commission (the “Commission”) is set to allow the continued free flow of data between the EU and UK, after confirming that the UK offers an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (the “GDPR”). According to the FT, the draft decision can be expected this week. As reported in a must-read overview of this development, the decision, once adopted, will replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organizations to transfer personal data from the EU to the UK up until 30 June 2021 (which is discussed in greater detail at “Brexit Updated: Interim Deal Reached on EU-UK Data Transfers”).
The decision will be welcomed by businesses, particularly those that regularly transfer customer personal data from the European Economic Area (“EEA”) to the UK (including those in the insurance, health, technology and financial sectors). However, there remained significant uncertainties for businesses, who were previously advised by the Information Commissioner’s Office (the “ICO”) to take precautions, putting in place alternative data transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data. Such a mechanism is likely to have involved the adoption of standard contractual clauses (“SCCs”), which allow for the lawful and secure transfer of personal data from within the EEA to countries outside the EEA (“third countries”), provided that an accompanying “Schrems II” data transfer assessment permits so. This would entail significant legal and administrative costs for businesses. Furthermore, and in light of the Commission’s new draft SCCs, any existing contracts would need to be updated to reflect the new clauses within one year from adoption by the Commission.