Happy New Year and welcome to the latest edition of our Data Protection update, our review of key developments in Data Protection law covering December 2017 and January 2018.
EU Commission: "UK will be a 'third country' for personal data transfers from the point of Brexit"
The European Commission has confirmed that, subject to any transitional arrangement that may be agreed following Brexit, the UK will be considered a "third country" for data transfers as such transfer of personal data would constitute a transfer out of the EEA.
Unless EU and UK officials agree on transitional arrangements in the interim, businesses will no longer be able to automatically transfer personal data to the UK from 30 March 2019 in the comfort that such transfers will be compliant with EU data protection legislation, namely the General Data Protection Regulation (GDPR).
One way in which data could continue to be transferred between the EU and the UK, post Brexit, is if the Commission passes a decision that the UK's data protection legislative framework provides adequate protection of personal data (a so called "Adequacy Decision"). Examples of such countries which have been deemed adequate are Switzerland, Israel, Jersey and Argentina.
In the absence of an Adequacy Decision, the GDPR permits a data transfer to a third country if a controller or processor has an alternative appropriate safeguard (e.g. a compliant data transfer agreement/binding corporate rules) in place.
We will keep you updated of any developments as to UK to EU data transfers following Brexit. In the meantime if you have any questions with regards to transferring data to "third countries", do let us know.
To read the Commission's notice to stakeholders, please click here.
Article 29 Working Party releases draft guidelines on "Transparency" and "Consent under the GDPR"
The Article 29 Working Party (WP29) has published draft guidelines on consent and transparency under the GDPR.
As the guidelines are still in draft form, we have set out a high level overview of each below and will issue with more detailed summaries when the WP29 publish the finalised guidelines.
The WP29's draft guidelines provide a thorough analysis of the notion of consent under the GDPR, including providing commentary on each of the required elements for obtaining valid consent. By way of reminder consent must be (i) freely given, (ii) specific...