The UK officially left the EU on January 31 this year. Currently, the EU and the UK are in a transition period, set to end 31 December. It was agreed that, during this time, cross-border transfers would not be prohibited but continue as if the UK indeed still were a member state. This is about to change.
Let’s look at the relations with the U.S. first. The CJEU invalidated Privacy Shield as a mechanism to cover EU-U.S. data transfers. I’m taking a number of client questions on this and the implications stretch beyond the shield arrangement itself. After we published a short video on how data residency requirements are layered from an EU perspective, more guidance and opinions have been trickling in. The European data protection board (EDPB) strongly emphasizes the need for an impact assessment of the destination country before every decision to send data out of the EU. There is a specific focus on the extent to which confidentiality of data can be guaranteed. When the assessment shows insufficient guarantee, the resulting advice may be to not execute the transfer. This is not just regarding the U.S., but every country outside the EEA without an ‘adequacy’ status.
The reason for the existence of Privacy Shield was the fact that the U.S. is not considered as providing ‘adequate’ protection and guarantees around data confidentiality. The Schrems II ruling made once again clear why that is. It also considerably lowers expectations around a viable ‘Shield 3.0’.
The UK may have ‘adopted GDPR’ in their 2018 Data Protection Act, but it’s no copy-paste exercise. The Committee on Human Rights openly expressed their concerns as to whether there is a conflict with the Charter of Fundamental Rights (CFR). There are exception situations where privacy rights are denied in the UK (e.g. immigration control). The European Commission (EC) has also clearly said that the UK will be seen as any other country without an adequacy decision. Though in theory the UK could receive an adequacy status from the EC, it is increasingly unlikely and the EUCJ can very well overrule that. In the past, the EUCJ has already stated that the UK’s data protection guarantees are not adequate for the EU. In essence, the existence of the UK’s ‘snooper’s charter’ is in contravention with the Charter of Fundamental Rights.
Finally, there is the issue of the UK’s partnerships with Australia for data exchange, as well as the signing of a reciprocal data exchange agreement with the U.S. under the CLOUD Act. In short, for transfers of personal data from the EU to the UK, the same measures must be taken as when they would be to the U.S. post-Schrems II.
There is little to no reason to wait taking those measures after 31 December.
Why not start now?
EDIT: updated with a more recent CJEU ruling that basically confirms my prediction on the (un)likeliness of adequacy.