HMRC has announced new advisory fuel rates, from 1 March 2021, for employees using a company...
EU and UK data flows
Draft agreements have been published which, if ratified, should allow for a continued free flow of personal data from the EU into the UK.
Is this an issue? Well, yes. Since the UK left the EU and the conclusion of the transition period, the UK is now considered to be a ‘third country’ for the purposes of the EU General Data Protection Regulation (GDPR). This means that unless the European Commission awards the UK a Certificate of Adequacy (confirming that the UK’s national data protection regime is of sufficient standard to allow data transfer), additional safeguards and provisions would have to be taken by each individual business, in relation to each individual transfer of data from the EU to the UK.
On 17th February the EU published draft data adequacy decisions which recognise the sufficiency of the UK’s data protection standards. Positive data adequacy decisions under both the GDPR and the Law Enforcement Directive (LED) would allow for personal data to continue to flow freely from the European Union (EU) and wider European Economic Area (EEA) to the UK. Confirmation of the draft adequacy decisions will help make sure UK organisations can continue to receive personal data from the EU and EEA without additional compliance costs.
This is not a done deal yet. The draft decisions will now be shared with the European Data Protection Board for a ‘non-binding opinion’, before being presented to EU member states for formal approval. Once implemented the adequacy decision will be reviewed every four years and extended on a rolling basis provided there is no later divergence between the EU and UK regimes.
Currently EU/EEA to UK transfers of data are operating under a bridge scheme legislated for in the UK-EU Trade and Cooperation Agreement (TCA). This scheme extends the free flow of personal data between the EU/EEA and the UK for up to six months, ending at its latest on the 30 June 2021. It has facilitated the free flow of personal data from the EU/EEA to the UK without additional compliance measures such as Standard Contractual Clauses.