Gary LaFever | December 24, 2020

EU-UK Trade and Cooperation Agreement Does Not Address Adequacy Decision So the CJEU Shrems II Ruling Applies to the UK

The Brexit deal does not include any adequacy decision on data protection for the UK, so the principles embodied in the CJEU Schrems II (C-311/18) and subsequent CJEU rulings apply to the UK.

The CJEU made it clear in October 2020 cases involving the UK, France, and Belgium (Case C-623/17; C-511/18; C-512/18; C-520/18) that even within the EU (prior to Brexit) legislative initiatives dealing with economic and national security issues do not override the constitutional rights of EU data subjects. For predictability of operations purposes, data controllers are best served by technical and organisational measures that comply with CJEU rulings to avoid potential disruptions to operations similar to those resulting from the invalidation of “the legislative initiative formerly known as the Privacy Shield," including:

  • Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear; and
  • Remote Access to Data for Business Purposes. [1]
Highlghted and annotated text of official European Union Brexit Deal Brochure Highlghted and annotated text of official European Union Brexit Deal Brochure

Click here for the full text of the European Commission's overview of the agreement with the United Kingdom on the terms of its future cooperation with the European Union.

Companies can ensure ongoing use of data by establishing a defensible position by implementing Supplemental Measures / Additional Safeguards that comply with Schrems II requirements to achieve desired business results while respecting and enforcing the fundamental rights of data subjects.

Learn About Schrems II Compliant Supplementary Measures / Additional Safeguards

After holding several panels on Schrems II issues with the European Data Protection Supervisor (EDPS), None of Your Business (NOYB), Future of Privacy Forum (FPF), Promontory, Cooley, and Fieldfisher, we received over a thousand follow-up questions, and hundreds of inquiries requesting briefings. We created a no-cost Briefing Portal in response to overwhelming requests from General Counsels and senior-level privacy professionals for additional information.

This Briefing Portal streamlines the process for interested professionals and provides a no-cost, self-paced educational platform. Access expert content, analysis, and discussion of the key concepts behind Schrems II, and learn how to support your clients or organisation to take action.

Register at SchremsII.com/Briefing to learn about Schrems II Compliant Supplementary Measures / Additional Safeguards and other matters pertaining to lawful international data transfers after Schrems II using SCCs and BCRs.

You may be interested in joining the Schrems II Linkedin Group focused on critical discussions and analyses related to using technically-enforced Supplementary Measures and SCCs, which you will not find elsewhere.

 

[1] See https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_informationnote_20201215_transferstoukaftertransitionperiod_en.pdf; https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf; and https://www.dataprotectionreport.com/2020/10/two-new-cjeu-judgments-further-tighten-limits-of-government-surveillance-significant-for-impending-uk-adequacy-decision-and-schrems-ii-country-assessments/.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS