As many of you might now already know, the last few months have seen a few updates to the GDPR landscape, both at home and in the EU. Good news though – the UK is adequate!
Good news, everybody!
On the 28th of June 2021, the European Commission officially adopted an adequacy decision on the transfers of personal data from the EU/EEA to the UK. While the European Commission will continue to monitor the legal position in the UK and can suspend, amend or repeal its decision, the adequacy status is expected to last until the 27th June 2025, with the possibility of it being renewed at that point.
What does this mean?
This means that the UK has been deemed adequate and therefore, EU personal data can continue to be transferred freely from the EU/EEA into the UK without having to put Standard Contractual Clauses in place. Of course, the usual assessments, due diligence and documents that should usually be carried out or put in place when transferring personal data to a controller or a processor (for example, having in place a Data Processing Addendum), will continue to apply as appropriate.
This is a welcomed development as it is ending a period of uncertainty for both the UK and EU/EEA businesses.
ICO has launched its public consultation on UK standard contractual clauses (SCCs)
This consultation is much needed in providing more guidance on the issue of transferring UK personal data to third countries as, since the 1st January 2021, the UK has been operating its own data protection regime. In addition, ICO has confirmed that the newly released EU SCCs are not valid for UK data transfers, and pending the consultation, the old SCCs should be used when transferring UK personal data to 3rd countries.
The consultation will close on the 7th October 2021 and the finalised versions of the documents are expected late 2021 or early 2022.
The documents that have been published for consultation so far are:
- a draft international data transfer agreement (essentially the UK version to the EU SCCs) which seems to be diverging in nature and structure from the EU SCCs, in the sense that, instead of using a modular structure, it uses a combination of tables, free and mandatory text. Notably, it caters only for Controller to Controller transfers, Controller to Processor transfers and Processor to Processor transfers, leaving out the Processor to Controller transfers;
- an international risk assessment tool and guidance that should assist businesses in carrying out their transfer risk assessments by suggesting a range of considerations, decision trees and mitigations; and
- a UK addendum for inclusion into the EU SCCs – there is no guidance on this document yet, though it appears that it is intended as an addendum to be entered into by parties which have already entered into the new EU SCCs, therefore reducing the need for a party to enter into both EU SCCs and the UK SCCs.
Data Breach Litigation
The Warren v DSG case comes timely to clarify the landscape of data breach litigation. In this case, Curry’s PC World suffered an external attack which compromised approximately 1 million customer records. The claimant sought £5,000 for breach of the Data Protection Act 1998 (as the incident took place pre-UK GDPR), breach of confidence, misuse of private information and negligence.
The court however, summarily dismissed the claimant’s claims for breach of confidence, misuse of private information and negligence, arguing that all of these causes of action required some positive wrongful action to be taken (e.g. deliberate disclosure of personal data), while the defendant was the passive victim of an external attack. In addition, these actions do not impose any form of data security duty on the defendant.
While there might be some further development in this case, the summary judgement has some important implications for data breach litigations as it clarified that, firstly, the focus of such disputes should be on the key question of whether there has been a breach of the UK GDPR, limiting claimant firms taking advantage of the lack of clear authority in the area, and secondly, reiterating that a state of anxiety which falls short of clinically recognised psychiatric harm is not sufficient damage to found a claim in negligence.
Devant will continue to monitor any new developments in this area, but in the meantime, if you have any questions or need help with your GDPR compliance, please do not hesitate to contact us.