Wednesday, January 13, 2021
The new 1,246-page Trade and Cooperation Agreement (TCA) between the United Kingdom and the European Union has ended the suspense over what restrictions will apply to the transfer of personal data between the EU and the UK now that the Brexit transition period has run its course. As expected, the UK has chosen to allow UK personal data to be transferred to the EU freely on the basis that the EU’s GDPR provides adequate protection for the transferred data. But the EU has not yet agreed that EU personal data can be transferred freely to the UK.
[co-author: Marc Loewenthal]
An Overview of Recent Developments
Concerns are mounting for companies around the world as they consider their ability to transfer data from the EU following the recent decision by the Court of Justice of the European Union in
Invalidation of Privacy Shield. In the recent
Schrems II decision, the Court overturned the EU-U.S. Privacy Shield that served as an approved adequacy program for transfers of EU personal data to the U.S under the GDPR. Overnight, thousands of companies that participated in or relied on Privacy Shield to transfer data (or vendors who relied on Privacy Shield) lost the assurance that their cross-border transfers were deemed adequate.
To embed, copy and paste the code into your website or blog:
On December 24, 2020, the European Commission and the United Kingdom reached an agreement in principle on the long-awaited Trade and Cooperation Agreement (the “Trade Agreement”). For now, transfers of personal data from the United Kingdom to the European Union and from the United Kingdom to other jurisdictions recognized by the European Union as having adequate data protection will continue to be permitted without additional measures. However, this reprieve will only last six months and the UK Information Commissioner’s Office has recommended that companies start exploring alternate means for transfers.
Get Permission
More than two years after Europe s tough new General Data Protection Regulation came into full effect, are each EU member state s privacy watchdogs finally finding consensus?
Outstanding questions have included the severity of penalties to be imposed on organizations that violate GDPR, for example, by not reporting data breaches to relevant authorities within 72 hours of discovering them. Organizations also face sanctions if they fail to properly secure Europeans personal data, regardless of whether a breach occurs.
Multiple legal and security experts say that some consensus has been building between each EU member state s privacy watchdog, aka data protection authority, or DPA.
Introduction
With the vast technological developments taking place in recent years, it is important that the European Union becomes aware of the usefulness of these developments in order to inform the public and assist the relevant authorities in their efforts to contain the spread of COVID-19.(1)
The use of digital technologies and data can be a key tool to monitor the spread of COVID-19 in real time and can also empower citizens to take more effective social distancing measures.
Toolbox
On 8 April 2020 the European Commission issued Recommendation 2020/518 on establishing a common EU toolbox for the use of technology and data to combat the COVID-19 crisis, particularly with regard to mobile apps and the use of anonymised mobility data. The recommendation sets out a process to develop a common approach – a so-called toolbox – in the European Union using the most innovative digital means to address the health crisis. The recommendation focuses primarily on: