On December 30, 2020, the UK and the European Commission reached an agreement in principle on the terms of the UK’s exit or “Brexit,” from the European Union. While this situation has economic and trade implications, it should not disrupt the flow of data or Nuance’s ability to support data protection and privacy for customers in the UK or EU.
BREXIT effect on General Data Protection Regulations (GDPS)
The General Data Protection Regulation (GDPR), which came into effect on 25 May, 2018, governs the processing of personal data of persons within the “member countries” of the European Union plus the three additional members of the EEA (Iceland, Norway, and Liechtenstein) and will continue to govern data processing under the regulation’s jurisdiction.
In 2018, the UK Parliament passed the Data Protection Act 2018 to bring Britain’s data protection laws into full alignment with GDPR. On January 31, 2020, the date of the UK’s departure from the EU, a new UK GDPR took effect domestically alongside an amended version of the Data Protection Act 2018. The “new” UK-GDPR is substantially the same, wholly incorporating the Privacy and Electronic Communications Regulations along with revisions to cover areas of the domestic law that are not touched upon by the EU version of the regulation (i.e. national security, the intelligence services and immigration). UK GDPR now governs data processing within the United Kingdom.
The EU-UK Trade and Cooperation Agreement (TCA) set a deadline of April 30, 2021 for the UK to obtain an ‘adequacy decision’ from the European Data Protection Board (EDPB). By demonstrating a level of data security and protection of data subject rights that is essentially equivalent to that within the EU, an adequacy decision permits a cross-border data transfers outside the EU, or onward transfers from or to a party outside the EU. the EU has already recognized several countries (including Argentina, Canada (commercial organizations), New Zealand, Switzerland, and Uruguay among others) as providing adequate protection.
The UK has until April 30, 2021, to obtain an adequacy decision from the EU, and this period may be extended for two additional months by mutual agreement. Given that the UK’s Data Protection Act of 2018 conforms to the requirements of GDPR, it is expected that the UK’s application for an adequacy decision will be granted, in which case data can continue to flow freely between the EU and the UK.
If adequacy status is not granted, data controllers and data processors might be able to rely on other adequacy mechanisms. GDPR refers to territories outside of the EEA which do not have adequacy decisions as “third countries.” GDPR provides a number of mechanisms intended to ensure adequate protection of personal data transferred outside of the EEA to third countries. Such assurances can come from EU-approved certifications, binding corporate rules and standard contractual clauses (“SCCs”). Nuance relies on SCCs, or Model Clauses as they are sometimes called, as data transfer agreements whose terms and format have been drafted by the European Commission as an adequacy transfer mechanism.