*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

A Tale of Trust Built and Lost: International Personal Data Transfers, the story so far…

Back

Like Anakin Skywalker and Obi-Wan Kenobi, there was a time when the EU and the UK enjoyed a close, almost familial, friendship. Sure, there were tensions and rivalries, and the young and headstrong Anakin was quick to rebel against his master, but all in all their relationship was a solid one. That was until the young Jedi apprentice became frustrated with the Jedi Order, and decided to pursue his own path to power.

Whether the UK leaving the EU was really a rush to the Dark Side is a matter of opinion, but it certainly seems to have tainted the relationship between the two when it comes to the flow of personal data.

As recently as 31 December 2020, the EU considered it to be safe for its member states to transfer personal data to the UK. But now, the EU is not so sure. This despite the fact that nothing has actually changed in terms of the data protection rules in the UK. On the contrary, as its stands the UK GDPR is an almost identical copy of the EU GDPR. The only thing which is different is that the UK is no longer an EU member state.

Which perhaps explains why, on 21 May, MEPs in the European Parliament voted in favour of a resolution that:

  • Calls for an action plan to address the apparent deficiencies the EU has identified in the way the UK complies with the GDPR
  • States that these alleged deficiencies must be resolved before an adequacy decision can be made (i.e. before the EU will consider personal data transfers to the UK to be safe)

This could have far-reaching and serious consequences for UK organisations wishing to conduct business in the EU. If, which is by no means certain, the Commission decides to follow this resolution, the current free flow of personal data between the two areas will cease. This means that no such data will be able to be sent to the UK without an additional safeguard – such as Standard Contractual Clauses (SCCs) being used.

Also, there is reference in the resolution to concern about the UK intelligence services having access to personal data of EU subjects. These concerns are virtually identical to those voiced by the EU last year about the US intelligence services – concerns that have led to data transfers to the US becoming much more challenging and, in some cases, impossible.

This resolution, if adopted by the Commission, means that the UK will find itself in the same position as the US in the eyes of the EU, meaning that a form of due diligence will have to be undertaken by ‘data exporters’ in the EEA before they can consider entering into SCCs with UK ‘data importers’.

As if that wasn’t enough, the European Parliament also recently voted (541 in favour, 1 against and 151 abstaining) for another resolution that, amongst other things:

  • Asks that bulk transfers of personal data to the US be halted
  • Asserts that data storage capabilities must be developed within the EU

The latter means that the European Parliament wants all EU data to stay in the EU. Think about it.

Many argue that Anakin left the Jedi Order not because he was an evil power hungry maniac, but because the Jedi Council failed to acknowledge his strengths and support him, thereby alienating him entirely. From that point on, well… things just went from bad to worse for all concerned. There’s a lesson in there somewhere, that even when one of your own has left the flock, it doesn’t always pay to provoke them further. Sometimes, it comes right back to bite you.


Robert Wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group