Personal data and its transfer over international boundaries hit the news in July 2020, yet again, as the Court of Justice of the EU (CJEU) handed down the Schrems II decision on data transfers reaffirming its strong backing for data protection rights. In October, a CJEU ruling on UK (as well as French and Belgian) government surveillance regimes further shaped how policy-makers need to evaluate data protection arrangements. Now Brexit is on the horizon and the international transfer issues surrounding the UK’s exit are becoming a pressing concern for many organisations.
But it remains unclear whether personal data transfers from the EEA to the UK will be able to continue as seamlessly as now post the Brexit transition period without additional measures. Unless the European Commission passes an “adequacy decision” in relation to the UK before 31 December 2020 (or some other form of agreement is reached), then EU/EEA organisations that transfer personal data to UK organisations (or allow them to access the data) will breach the GDPR unless they put additional alternative measures in place to govern those transfers, or a derogation applies. The Commission’s freedom of manoeuvre is constrained by the two CJEU rulings earlier this year.
For any organisation doing business across the Brexit border, there may be significant work to be done to ensure that those data transfers can continue without breaching the GDPR, such as putting EU Standard Contractual Clauses (SCCs) or Binding Corporate Rules into place.