The ICO guidelines on post-Brexit data transfer
Taken from”The Legal Newspaper”, the legal information newspaper of the Wolters Kluwer Italia group and edited by Cedam, Utet Giuridica, Leggi d'Italia and Ipsoa.
From 1 January 2021, the United Kingdom will permanently leave the European Union, assuming the qualification of a 'Third Country' with respect to the member states of the European Economic Area. To clarify the rules applicable to the transfer of personal data in the post-Brexit scenario, the Information Commissioner's Office (ICO) has published specific guidelines, which indicate the appropriate adjustments for companies and other organizations committed to managing data flows across the Channel in compliance with the EU GDPR and the new UK GDPR.
Alas, here we are. At the end of the transitional period started last January 31, the stroke of midnight on January 1, 2021 (it will still be 23.00 on December 31 in London) will definitely mark the exit of the United Kingdom from the European Union. As the deadline approaches, The Information Commissioner's Office (ICO) — the British data protection authority — has intensified its efforts to provide clarity on the rules applicable in the United Kingdom regarding data protection in the post-Brexit scenario. And if “no man is an island” (to quote John Donne), not even an island is an island in the digital economy based on the use of data. In fact, Brexit also requires companies and other organizations established outside British borders to carry out timely checks and obligations in order not to interrupt the flow of data underlying exchanges across the Channel.
As for the applicable regulatory framework in the post-Brexit scenario, the ICO first clarifies that - from 1 January 2021 - Regulation (EU) 2016/679 (so-called EU GDPR) will no longer be applicable in the United Kingdom. The EU GDPR will in fact be replaced by the so-called UK GDPR, i.e. by a regulation of “national scope” containing substantially identical provisions (in terms of the principles, rights and obligations contemplated therein), with respect to those contained in the EU GDPR applicable in the countries of the European Economic Area (EEA). In addition to the UK GDPR, data processing will be governed by UK since 2018 DPA (Data Protection Act) And from PECR (Privacy and Electronic Communications Regulations) duly updated to take account of the United Kingdom's exit from the European Union.
In compliance with the above-mentioned regulatory framework, Will Brexit require timely adjustments on the part of companies and other organizations active both here and across the Channel, expected that - from 1 January 2021 - The United Kingdom will become a 'Third Country' with respect to EEA countries and will no longer be able to formally avail itself of the guarantees based on the EU GDPR regarding trade with non-EEA countries.
To describe the extent of the relevant adjustments, the ICO identifies three types of personal data transfers:
(i) transfers from the United Kingdom to EEA countries;
(ii) transfers from EEA countries to the United Kingdom;
(iii) transfers from non-EEA countries to the United Kingdom and vice versa.
You can continue reading by clicking here