Unless the parties decide, before 1 July 2020, to extend the transitional period from 1 to 2 years, the whole of eu primary and secondary law will no longer apply in the United Kingdom from 1 January 2021. The transfer of personal data to the United Kingdom is then subject to the requirements of Chapter V of the RGPD and the Criminal Prosecution Directive. The European Commission has published a series of opinions outlining the consequences in a number of areas of action to prepare citizens and stakeholders for the UK`s withdrawal. However, the data protection shield, like its predecessor, the safe harbor agreement, was cancelled by the ECJ because the United States does not adequately protect personal data within the meaning of the RGPD. Therefore, prudent organisations dealing with the personal data of EU citizens should take steps to ensure that they comply with the law after 31 December 2020 if no adequacy decision is taken. While the essential information contained in existing data protection information is likely to remain the same, companies must proactively ensure that their views comply with UK data protection legislation at the end of the transition period. UK organisations dealing with personal data are currently linked by two laws: the EU RGPD and the DPA (UK Data Protection Act) 2018. The RGPD is an EU regulation that will no longer apply to the UK from the end of the transition period. However, if you operate within the UK, you must comply with UK data protection legislation. The Government has stated that it intends to incorporate the RGPD into UK data protection legislation from the end of the transition period – therefore, in practice, the fundamental principles, rights and obligations of data protection in the RGPD will not change much. The requirements of the EU RGPD, as implemented in Parts 3 and 4 of the 2018 DPA, continue to apply to law enforcement and intelligence services. However, in its decision, the European Court of Justice held that CSC is only valid if the law guarantees adequate protection in the host country.
If the law in that country makes it impossible to carry out obligations (for example, when personal data is affected by state surveillance), it is not valid and additional safeguards must be given as to the necessary protection. If such protective measures cannot be taken, the transformation is suspended. For international data transfers from the UK to other jurisdictions, please visit the ICO website. At the end of the transitional period, data transfers from the EU to the UK will be subject to local transmission requirements in the sending country. Your European partners may ask you to comply with additional security measures. We advise you to contact your EU partners to discuss what they want to do to ensure that the data can continue to be transmitted to the UK. Another major change in the UK`s RGPD is that the Information Commissioner, the UK`s leading data protection authority, will now become the UK`s chief supervisor, regulator and executor of the UK RGPD.