London Bridge is……?
Post-Brexit, rights holders have (understandably) focused much of their attention on how to manage their portfolios of registered rights such as designs, trade marks and patents. However, there are other considerations which it is important to be aware of: amongst these, one often overlooked is the law relating to privacy and data protection.
When a company transfers personal data outside of the EU, it can only do so legally under a set number of circumstances. The definition of ‘personal data’ is deliberately wide and includes anything that can identify a living individual (including things like addresses, employee or National Insurance numbers, details of company directors and car registration numbers).
Now that the UK is no longer a member of the EU, it is effectively a ‘third country’ for the purposes of the EU’s data protection laws. This means that personal data cannot be transferred from the EU to the UK in the absence of a legal mechanism by which to do so.
Bridging the gap
On 24 December 2020, EU and UK negotiators announced agreement in principle on an EU-UK Trade and Cooperation Agreement (TCA) to apply following the Brexit implementation period. The most significant provisions of the TCA for data protection are the interim (or ‘bridging’) provisions for transmission of personal data from the UK to the EU.
It should be emphasised that this is very much a sticking plaster and the bridging mechanism will expire on 30 June 2021 if neither party objects (and the UK government does not deviate from the levels of protection it has already guaranteed).
If the EU does not resolve the UK’s standing or declines to grant it a so called ‘adequacy decision’ outright then this will have repercussions for any business which receives personal data from the EU: it will become illegal to transfer data from the EU to the UK in the absence of a legal mechanism by which to do so. For more information about how the decision will be reached please read our article here.
There are a number of potential mechanisms and of these, the most likely to apply are the so called Standard Contractual Clauses approved by the European Commission. These are a set of pre-agreed contractual terms which the EU has confirmed are sufficient to safeguard the transfer of personal data outside a traditional adequacy decision.
A positive outcome in the bridging mechanism is by no means guaranteed and any business which routinely contracts with EU counterparts should start looking at its contracts now to ensure that there are appropriate mechanisms in place to allow for the ongoing transfer of personal data in the event that the UK is not granted an adequacy decision. If you need any further information in this regard please do feel free to get in touch with us via [email protected].
Written by Tom Synott, Associate