So far, much of the discussion surrounding last week’s Court of Justice of the European Union “Schrems II” decision has focused on the implications for personal data transfers to the United States or other non-European countries, but its impact will be felt in the UK, as well, and add a further layer of complexity for companies preparing for Dec. 31, when the Brexit transition period will end.
The key question at this stage is whether the U.K. will be successful in securing an adequacy finding from the European Commission by that date or whether it will be considered a “third country” for which data transfers will need to be legitimized by appropriate safeguards, as is the case for other third countries with no finding of adequacy. In addition, the post-Brexit U.K. will be a separate legal regime from that of the EU, which companies will need to consider separately from the EU data transfer rules.
In light of the ongoing uncertainty, set out below are the important initial steps that companies transferring data to and from the U.K. should consider at this stage.
Click here to continue reading.
Note: This is the third in a series of guidance notes on what the “Schrems II” decision means for companies that rely on EU-U.S. Privacy Shield, controller-to-processor standard contractual clauses, SCCs for transfers to controllers, derogations/exceptions to transfer restrictions, and binding corporate rules, as well as what “Schrems II” means for Brexit and what companies can expect with the road ahead on these issues.