International Data Transfers, the story so far…

Welcome to the darkside

Like Anakin Skywalker and Obi-Wan Kenobi, there was a time when the EU and the UK enjoyed a close, almost familial, friendship. Sure, there were tensions and rivalries, and the young and headstrong Anakin was quick to rebel against his master, but all in all their relationship was a solid one. That was until the young Jedi apprentice became frustrated with the Jedi Order, and decided to pursue his own path to power.

Whether the UK leaving the EU was really a rush to the Dark Side is a matter of opinion, but it certainly seems to have tainted the relationship between the two when it comes to the flow of personal data.

As recently as 31 December 2020, the EU considered it to be safe for its member states to transfer personal data to the UK. But now, the EU is not so sure. This despite the fact that nothing has actually changed in terms of the data protection rules in the UK. On the contrary, as its stands the UK GDPR is an almost identical copy of the EU GDPR. The only thing which is different is that the UK is no longer an EU member state.

Which perhaps explains why, on 21 May, MEPs in the European Parliament voted in favour of a resolution that:

  • Calls for an action plan to address the apparent deficiencies the EU has identified in the way the UK complies with the GDPR
  • States that these alleged deficiencies must be resolved before an adequacy decision can be made (i.e. before the EU will consider personal data transfers to the UK to be safe)

This could have far-reaching and serious consequences for UK organisations wishing to conduct business in the EU. If, which is by no means certain, the Commission decides to follow this resolution, the current free flow of personal data between the two areas will cease. This means that no such data will be able to be sent to the UK without an additional safeguard – such as Standard Contractual Clauses (SCCs) being used.

Also, there is reference in the resolution to concern about the UK intelligence services having access to personal data of EU subjects. These concerns are virtually identical to those voiced by the EU last year about the US intelligence services – concerns that have led to data transfers to the US becoming much more challenging and, in some cases, impossible.

This resolution, if adopted by the Commission, means that the UK will find itself in the same position as the US in the eyes of the EU, meaning that a form of due diligence will have to be undertaken by ‘data exporters’ in the EEA before they can consider entering into SCCs with UK ‘data importers’.

As if that wasn’t enough, the European Parliament also recently voted (541 in favour, 1 against and 151 abstaining) for another resolution that, amongst other things:

  • Asks that bulk transfers of personal data to the US be halted
  • Asserts that data storage capabilities must be developed within the EU

The latter means that the European Parliament wants all EU data to stay in the EU. Think about it.

Many argue that Anakin left the Jedi Order not because he was an evil power hungry maniac, but because the Jedi Council failed to acknowledge his strengths and support him, thereby alienating him entirely. From that point on, well… things just went from bad to worse for all concerned. There’s a lesson in there somewhere, that even when one of your own has left the flock, it doesn’t always pay to provoke them further. Sometimes, it comes right back to bite you.

Robert wassall

Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection as a Service (DPaaS) solution and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.