For UK market research agencies like FieldworkHub that work across Europe, nothing really changed when the UK left the EU on 31 January 2020. This is because the UK was treated as if it was still part of the European Economic Area (EEA) when it came to international data transfers during the 11-month transition period that followed. The transition period ended on 31 December 2020. How will this affect international market research in 2021?
In the short term, there’s only one major change for international research agencies based in the UK: from 1 January 2021 virtually every UK company that processes data relating to individuals in the EEA needs to appoint an EU representative. This is a person or company based in the EU who acts as a liaison with EU data subjects and maintains records of data processing that can be shared with EU data protection authorities on request. A company’s EU representative should be based in the country with the largest number of that company’s data subjects – FieldworkHub has selected Germany.
Further changes will depend on if and when the UK obtains a so-called adequacy decision from the European Commission (EC). This is a ruling that a non-EEA country offers adequate data protection to allow personal data to flow from the EEA without further safeguards. Simply put, the adequacy decision provides formal recognition that a country’s data protection laws are as strong as the GDPR so the country can be treated as if it were part of the EEA when it comes to data transfers.
So far, the EC has issued adequacy decisions for Andorra, Argentina, Canada (commercial organisations only), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. The UK’s Data Protection Act implemented the GDPR in full and hasn’t been altered since Brexit. It therefore seems like a no-brainer to decide that it is adequate (and indeed the UK government has already determined adequacy for transfers in the other direction from the UK to the EEA).
Unfortunately, there’s a lot of due process to go through before Europe can reciprocate: the EC must first make a proposal on adequacy*, the European Data Protection Board must then give its official opinion, the proposal must then be approved by the representatives of EU countries, and finally the decision must be adopted by the EC.
The last-minute Brexit deal agreed on 24 December 2020 creates a grace period for data to continue flowing freely to the UK until the end of June 2021*.
The mechanism that the EC has put in place to safeguard transfers from the EEA to countries that aren’t covered by adequacy decision is a system of standard contractual clauses (SCCs) to be incorporated in data processing agreements. However, this is cumbersome (for example, the English template SCCs are 40-50 pages long) and the existing SCC system only covers controller-to-controller and controller-to-processor data transfers. The EC did publish a draft proposal for revised SCCs in November 2020 which also covers processor-to-controller and processor-to-processor transfers, but until these are formally adopted by the EC, they don’t have the legal force of the existing SCCs.
For now, therefore, the message seems to be Keep Calm and Carry On, but also keep an eye on that calendar!
* Update on 21 June 2021: The European Council has signed off on a post-Brexit data adequacy deal with the UK to ensure data transfers can continue between the EU and the UK. See https://www.research-live.com/article/news/ukeu-data-adequacy-agreement-ratified/id/5085262