By the power of the Trade and Cooperation Agreement a period of 4+2 months (which comes to an end on 30th June, 2021) was established until the end of which the transfer of data from the EU to the UK will not be treated as a third country transfer. Оn 19.02.2021 the European Commission presented a Draft decision on the adequate level of protection of personal data provided by the United Kingdom. In case a Decision is adopted by the end of June, 2021, the data transfer may continue without any specific authorization or further complications except for those applicable to any transfer of personal data within the EU. While probably all of the business concerned was crossing fingers on its final adoption, on 20th May the European parliament voted for the need of improvements to the proposed Decision (like the European data protection board (EDPB) did in its statement reviewing the draft decision). Main concerns of both, the Parliament and the EDPB, are that UK’s laws do not provide the level of protection required by the EU’s data protection legislation.
But, can an adequacy decision be adopted anyway? This question arises because UK laws currently provide that the UK authorities may oblige the providers of electronic communications services to carry out the general and indiscriminate transmission of traffic data and location data to the security and intelligence agencies for the purpose of safeguarding national security – something that has been declared unlawful by the European Court of Justice in its judgement of October 6, 2020, C-623/17.
So how can we still transfer personal data to the UK after 1st July if no adequacy decision is adopted? In such case the data transfer may continue if appropriate safeguards are provided – like binding corporate rules, standard contractual clauses agreement or certification and codes of conduct. Transfer is still possible without adequacy decision or appropriate safeguards under the derogations provided in article 49 of GDPR. Such derogations are, for example –
- data subjects’ explicit consent for transfer,
- fulfilling a contractual obligation,
- public interest,
- establishment, exercise or defence of legal claims or
- protection of the vital interests of the data subject.
The most commonly used safeguard instrument is a conduction of an agreement between the data exporter and the data importer which incorporates Standard Contractual Clauses (SCC). The most recent version of such SCC is adopted on 7th June 2021 (it shall become effective on 27th June, 2021) by the European commission and can be easily adapted to each and every kind of relations as it is structured in 4 different modules (controller-to-controller transfer, controller-to-processor transfer, processor-to-processor transfer, processor-to-controller transfer) in accordance with the different variations of the legal position of the parties. The contract contains not only obligations for the parties but also rights for the individuals whose personal data is transferred. They may enforce directly the rights provided against the data importer and the data exporter.
For now, it is unclear whether the draft adequacy decision will be finally approved. Even if adopted the decision can still be challenged in the Court or repealed, amended or suspended by the European commission if relevant information shows that the UK no longer ensures an adequate level of protection.