Boxing Day saw yet another warning from Brussels to find a new basis for transferring personal data from the EEA to the UK, as it is considered unlikely that there will be an EU 'adequacy finding' by this time next year. The options include adding 'standard model clauses' to contracts under which that data currently flows. But there might be a lot of those contracts and the process of putting them in place might just make everyone nervous. So why transfer the data at all?
Many UK firms hold personal data relating to EEA individuals. This might be data relating to EEA-based staff, customers or suppliers, for example; or personal data that is included in data sets processed in the course of 'big data' analysis for the purpose of developing products or targeting advertising.
Rather than transfer that data, the UK firms could - as many already have - simply incorporate an entity within the EEA to hold the data and determine the means and purposes of processing. That EEA entity could do the processing itself within the EEA or outsource that to an EEA-based processor with the right experience and expertise. Only the aggregated results would need to go to the UK.
It can be a simple matter to transfer existing English law contracts to a new entity, particularly as Irish law is so similar.
This is just one area in which EEA firms dealing with the UK will need to be creative in finding alternative structures, and Ireland is a natural base for many reasons - let us know if we can help.
Wojciech Wiewiorowski, the EU’s new data protection supervisor, said the UK was “13th in the row” of countries that are negotiating data deals with Brussels. Allowing the UK to skip the queue “would be a little bit unfair towards those who have already prepared themselves for this process,” he added.