On June 28, 2021, the European Commission adopted two decisions finding that the UK’s data protection regime provides an “adequate” level of protection for personal data transferred to the UK from the EU.  The first decision covers transfers governed by the GDPR, and permits private companies located in the EU to continue to transfer personal data to the UK without the need for additional arrangements (such as the Commission’s new Standard Contractual Clauses (“SCCs”), which we discuss here).  The second decision covers transfers under the Data Protection and Law Enforcement Directive, and permits EU law enforcement agencies to continue to transfer personal data to their counterparts in the UK.
Continue Reading European Commission Adopts Final UK Adequacy Decisions

On February 19, 2021, the European Commission published two draft decisions finding that UK law provides an adequate level of protection for personal data.  The first would allow private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards (e.g., the Commission’s standard contractual clauses), while the second would allow EU law enforcement agencies to transfers personal data subject to Directive 2016/680 — the Data Protection and Law Enforcement Directive (LED) — to their UK counterparts.

Continue Reading European Commission Publishes Draft UK Adequacy Decisions

On December 24th, with a year-end deadline and the holidays fast approaching, European Commission and United Kingdom (“UK”) officials announced they reached a deal on the EU-UK Trade and Cooperation Agreement (“Agreement”).  Once formally adopted by the European Union (“EU”) institutions, the Agreement will govern the relationship between the EU and UK beginning on January 1, 2021, following the end of the Brexit transition period.

The Agreement is likely to avert a year-end scramble to secure cross-border data transfers between the EU and the UK.  Although the final text has not yet been published, a UK government summary of the deal indicates that the parties agreed to allow for the continued free flow of personal data for up to six months to allow time for the EU and UK to adopt mutual “adequacy decisions,” in which each jurisdiction may recognize the other as offering adequate protection for transferred personal data.  Absent these adequacy decisions (and the interim period established by the Agreement), organizations would need to consider implementing additional safeguards, such as standard contractual clauses, to transfer personal data between the EU and UK.
Continue Reading Brexit Deal Keeps EU-UK Data Flows Open as Parties Pursue Mutual Adequacy

Over the past 9 months, the UK has been hammering out the shape of its future trading relationship with the EU, as well as many others, and there apparently are signs of progress in the past few days as a result of intensified talks between the two sides. Some are reporting a deal will be

Two sets of regulations aimed at readying UK data protection law for a post-Brexit world have been promulgated in recent weeks.  These regulations, which were made pursuant to the EU (Withdrawal) Act 2018 (EUWA), will only come into force in most respects upon the UK’s withdrawal from the EU.  Broadly speaking, these regulations are intended to preserve the status quo post-Brexit by (1) amending certain provisions of the GDPR to allow it to be retained as UK domestic law and (2) transitionally adopting certain key decisions of the EU institutions that, collectively, would allow for the continued lawfulness of personal data flows out of the United Kingdom where currently permitted under EU law.  In both regards, these regulations are consistent with prior guidance from the UK Information Commissioner’s Office (discussed here).
Continue Reading UK Issues Regulations on Post-Brexit Data Protection Law

Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States.  The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.

In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU. 
Continue Reading Privacy Shield Updates: Second Annual Review and Brexit Guidance

On December 13, 2018, the Information Commissioner’s Office (“ICO”) in the United Kingdom issued guidance on the state of UK data protection law should the country leave the European Union (“EU”) without having reached an agreement on the terms of its withdrawal.  Much of this latest guidance is consistent with the ICO’s earlier guidance on the topic, published in September 2018.  But as the UK’s expected withdrawal from the EU on March 29, 2019, inches closer, organizations that process the personal data of individuals resident in the UK or in other countries in the European Economic Area (EEA) should now take steps to prepare themselves for the possibility of a “no-deal” scenario.
Continue Reading Information Commissioner’s Office Issues Guidance on UK Data Protection Law in the Event of a “No-Deal” Brexit

On September 13, 2018, the UK government published a series of technical notices on how to prepare for a scenario in which the UK leaves the EU without agreement on March 29, 2019 (“no-deal Brexit”).  The government stressed that a no-deal Brexit “remains unlikely given the mutual interests of the UK and the EU in securing a negotiated outcome,” but that “it’s our duty as a responsible government to prepare for all eventualities.”  One of the notices, “Data protection if there’s no Brexit deal,” sets out the UK government’s position on data flows between the UK and EU and recommends actions that organizations should take to help ensure the continued flow of personal data from the EU to the UK if no agreement is reached.

Data privacy standards in the UK to remain the same

In the event of a no-deal Brexit, the technical notice is clear that the UK will maintain the same data protection standards as exist today.  This is because the General Data Protection Regulation (“GDPR”) currently applies in the UK (as it remains, for now, an EU Member State), and, at the point of a no-deal Brexit, the UK would incorporate the GDPR into UK law.  The GDPR rules — now and following Brexit — are supplemented by the UK Data Protection Act 2018, which sets out how certain aspects of the GDPR apply in the UK (e.g., in relation to children’s data).
Continue Reading UK “No-Deal Brexit” Technical Notice Sets Out Plans on EU – UK Data Flows