Finally, the European Court of Justice is currently examining the legality of EU standard contractual clauses (SCC) – and the EU-US data protection shield – as a legal basis for data transfers outside the EU. The outcome is uncertain, but there is a significant risk that CSC will no longer be considered a sufficient guarantee. We recommend that all UK companies keep a close eye on this issue. There are only a few weeks left in the EU that it has not yet decided whether it accepts that the UK data protection system is still appropriate. There are few significant differences between the EU RGPD and the UK`s RGPD proposal, so organisations dealing with personal data should continue to meet the requirements of the EU RGPD. Since 25 May 2018, data protection within the EU has been governed mainly by the [EU] Regulation 2016/679 or, as is otherwise known, the General Data Protection Regulation (GDPR), which harmonizes the approach to data protection in Member States. With the UK`s withdrawal from the EU, the UK is now regarded in all respects as a “third country”, which has an impact on how personal data can be transmitted to UK-based entities, and vice versa. How does this affect you? During the transitional period, the EU General Data Protection Regulation (GDPR) will continue to have direct effects and data flows will not be immediately affected. However, at the end of the transition period, the UK could become a “third country” according to the RGPD, with important implications for data protection. The United Kingdom withdrew from the European Union on 31 January 2020. On the basis of the withdrawal agreement ratified by both the European Union and the United Kingdom, a transition period during which EU legislation will continue to apply to the UK will last until 31 December 2020. With regard to personal data, the situation remains unchanged and there is therefore no need to set up a transfer mechanism under Chapter V of the RGPD or the Criminal Prosecutions Directive.
During the transition period, as UK and EU negotiators discuss future data protection rules, the General Data Protection Regulation (GDPR) and Data Protection Act (DPA 2018) will continue to apply to UK organisations. Similarly, organizations that provide essential services must continue to comply with the Networks and Information Systems Directive (IRS). The EU-US data protection shield, which allowed certified US organisations to process the personal data of European citizens, was invalidated by the European Court of Justice on 16 July 2020 following a complaint by Austrian data protection defender Max Schrems. During the transitional period, the UK`s data protection standard has not changed. EU data protection laws, including the General Data Protection Regulation (GDPR), apply throughout the transition period, alongside the Data Protection Act 2018. The Information Commissioner remains the UK`s independent data protection regulator. Data protection legislation covered by Part 3 of the 2018 CCA continues to apply to the relevant prosecuting authorities.