Uk Withdrawal Agreement Data Protection

However, like its predecessor, the Safe Harbor Agreement, the Privacy Shield was invalidated by the ECJ because the United States does not offer adequate protection of personal data within the meaning of the GDPR. The data protection regime set out in Part 3 of the 2018 CCA remains applicable to competent authorities that deal for law enforcement purposes. These rules stem from an EU directive, but are now set by UK law and remain applicable after the end of the transition period (with some minor technical changes to reflect our status outside the EU). Legacy data includes personal data of individuals outside the UK (in the EEA or not) processed in the UK, where: after years of turbulence, it appears that the UK finally has an agreement defining how it will leave the European Union (EU). Prime Minister Boris Johnson`s withdrawal agreement has many similarities to his predecessor Theresa May`s withdrawal agreement, particularly when it comes to data protection requirements. There is only a very small significant difference between the EU GDPR and the proposed UK GDPR, so organisations that process personal data should continue to meet the requirements of the EU GDPR. However, in its judgment, the ECJ stated that CCS are only valid if the law guarantees adequate protection in the beneficiary country. If, in that country, the law does not allow compliance with the obligations (if personal data are likely to be affected by state surveillance, for example), they are not valid and additional safeguards must be put in place to ensure the necessary protection. If such security measures cannot be taken, treatment should be suspended.

The EU GDPR only allows the transfer of personal data from the EEA to third countries and international organisations in certain circumstances: the EU carries out a data adequacy assessment by the UK. If the EU takes positive adequacy decisions by 1 January 2021, this would mean that, as is currently the case, personal data can move freely from the EU/EEA to the UK without organisations intervening. Businesses should also be aware that the UK government has announced that it is maintaining the GDPR as it is after leaving the EU and that, therefore, companies should continue to comply with the GDPR and the UK DPA in 2019, even if they do not process EU citizens` data after the transition period. The UK government is currently working to make adequacy decisions by the European Commission, both under the General Data Protection Regulation and the Data Protection Directive, which, if guaranteed until the end of the transitional period, allow the free flow of personal data from the EU to the UK to continue without interruption. We will update our guidelines to reflect the outcome. In the meantime, you can take steps to ensure that personal data can continue to flow after the transition period. For more information, see our international transfer guidelines and interactive tool on using standard contractual clauses for transfers to the UK. Given the current state of affairs, it is recommended that companies maintain GDPR, DPA and SRI compliance for the foreseeable future. This includes ensuring that robust technical measures and procedures are in place to protect personal data and to detect and investigate personal data protection breaches.

This article was first created and published for Lexis Nexis, but was written by Eleonor Duhs, data expert and Fieldfisher lawyer. UK organisations that process personal data are currently subject to two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018. One of the areas debated during the transition period, which will enter into force on 31 January, is data protection. . . .