Privacy & Information Security Law Blog

On May 10, 2022, as part of the Queen’s Speech, the UK government announced its intention to introduce a Data Reform Bill (the “Bill”). The UK government’s background and briefing notes to the Queen’s Speech state that the purpose of the Bill is to “take advantage of the benefits of Brexit to create a world class data rights regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.”

On February 2, 2022, the Secretary of State placed the UK Information Commissioner’s Office's (“ICO's ”) final international data transfer agreement (“IDTA”) and international data transfer addendum to the European Commission’s standard contractual clauses (“SCCs”) for international data transfers (“Addendum”) before the European Parliament. The IDTA and Addendum are set to come into force on March 21, 2022, but the ICO advises that they are of use to organizations immediately. The ICO also has stated that it intends to publish additional guidance on use of the IDTA and Addendum.

View the ICO’s final drafts of the IDTA and Addendum.

On June 16, 2021, the UK Government’s Taskforce on Innovation, Growth and Regulatory Reform published an independent report containing recommendations to the Prime Minister on how the UK can reshape its approach to regulation in the wake of Brexit (the “Report”). Among wide-ranging proposals across a range of areas, the Report recommends replacing the UK General Data Protection Regulation (“UK GDPR”) with a new UK Framework of Citizen Data Rights. The proposed approach would aim to give individuals greater control over their personal data while also allowing increased data flows and driving growth in the digital economy. The Report will be considered by the Government’s Better Regulation Committee.

On April 14, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted its Opinion on the draft UK adequacy decision issued by the European Commission on February 19, 2021. The EDPB’s Opinion is non-binding but will be persuasive. The adequacy decision will be formally adopted if it is approved by the EU Member States acting through the European Council. If the adequacy decision is adopted, transfers of personal data from the EU to the UK may continue following the end of the post-Brexit transition period without the implementation of a data transfer mechanism under the EU General Data Protection Regulation (“GDPR”), such as Standard Contractual Clauses.

On March 19, 2021, the Secretary of State for Digital, Culture, Media & Sport (“DCMS”) signed a Memorandum of Understanding (“MoU”) with the UK Information Commissioner’s Office (the “ICO”) with respect to new UK adequacy assessments following the UK’s departure from the European Union. The MoU sets out how DCMS and third countries will negotiate adequacy decisions, referred to under the MoU as “adequacy regulations”. These permit the free transfer of personal data collected in the UK to the relevant “adequate” jurisdiction.

On February 19, 2021, the European Commission published a draft data protection adequacy decision relating to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection.

On December 24, 2020, the European Union and the United Kingdom reached an agreement in principle on the historic EU-UK Trade and Cooperation Agreement (the “Trade Agreement”). For data protection purposes, there is a further transition period of up to six months to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.

Hunton Andrews Kurth is pleased to announce the release of Sweet & Maxwell’s fifth edition of Data Protection Law and Practice, written by Rosemary Jay, Hunton Andrews Kurth’s senior consultant attorney. This edition has been re-written to provide a thorough review of the current state of data protection law in the UK, along with details of relevant background context.

On November 10, 2020, Hunton Andrews Kurth will host a webinar examining the data protection considerations that arise on the UK’s departure from the EU. The UK’s Brexit transition period ends on December 31, 2020, and it is not clear whether the EU will formally recognize the UK’s data protection regime as ‘adequate.’ What does this mean for companies’ plans to update their data transfer mechanisms? Is adequacy the holy grail it is widely believed to be? What other issues must be considered? Is there still time?

On July 22, 2020, the European Data Protection Board (the “EDPB”) adopted an information note (the “Note”) to assist organizations relying on Binding Corporate Rules (“BCRs”) for international personal data transfers, as well as supervisory authorities, in preparing for the end of the Brexit implementation period on December 31, 2020. The Note is provided specifically for those groups of undertakings and enterprises that have the UK Information Commissioner’s Office (“ICO”) as the competent supervisory authority for their BCRs.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.

On July 9, 2020, the European Commission (the “Commission”) adopted a Communication to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled: “Getting ready for changes – Communication on readiness at the end of the transition period between the European Union and the United Kingdom” (the “Communication”).

On September 10, 2019, the French data protection authority (the “CNIL”) updated its existing set of questions and answers (“FAQs”) on the impact of a no-deal Brexit on data transfers from the EU to the UK and how controllers should prepare.

On February 20, 2019, the French data protection authority (the “CNIL”) published a set of questions and answers (“FAQs”) indicating the CNIL’s recommendations, and steps that organizations should take, to prepare for a no-deal Brexit. The CNIL’s FAQs build upon guidance the European Data Protection Board (“EDPB”) provided in its Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit.

At its plenary meeting on February 13, 2019, in Brussels, the European Data Protection Board (“EDPB”) adopted an Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit, and an Information Note on BCRs for Companies Which Have ICO as BCR Lead Supervisory Authority.