In the case of UK market research firms such as Vocal Views, which operate across Europe, there was nothing that changed after the UK quit the EU on January 31, 2020. This is due to the fact that the UK was considered to be remaining part of the European Economic Area (EEA) in relation to international data exchanges during the 11-month period of transition that was followed. The transition period came to an end at the end of December 2020. What impact will this have on market research conducted internationally in 2021?
In the near term there’s just one significant change that will affect international research institutions located in the UK starting on 1 January 2021, virtually every UK company which handles data that pertains to individuals within the EEA must appoint one EU representative. It’s an individual or company that is located within the EU who acts as a contact with EU data subjects and keeps the records of processing data that may be made available to EU authorities responsible for protecting data upon the request of. The company’s EU representative must be located in the country that has the most customers whose data is processed by the company – Vocal Views has chosen France.
Future changes will be contingent upon what happens if and when the UK receives an”adequacy” ruling from the European Commission (EC). It is a decision that says that a non-EEA nation provides adequate data protection that allows personal information to transfer out of the EEA without additional safeguards. In simple terms, the adequacy ruling confirms that a country’s protection of data laws are as effective as GDPR, so the country is considered in the EEA with respect to data transfers.
To date so far, it appears that the EC adequacy determinations exist for Andorra, Argentina, Canada (commercial organizations only) The Faroe Islands, Guernsey, Israel as well as Guernsey, Israel Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. In the UK, the Data Protection Act implemented the GDPR fully and hasn’t changed after Brexit. Therefore, it’s an easy decision to determine that it’s adequate (and in fact, there is evidence that the UK Government has decided on the adequacy of transfers that go in the opposite direction between the UK towards within the EEA).
There are a lot of formalities to be completed before Europe will reciprocate. The EC must first present an adequacy proposal*, and the European Data Protection Board must decide on a formal opinion, and the plan is then approved by representatives from EU nations, then the decision has to be approved in the EC.
The last-minute Brexit agreement reached on December 24, 2020, provides an opportunity for data to flow freely into the UK until the month of June in 2021*.
The mechanism the EC has established to safeguard transactions from EEA to other countries not covered by the adequacy determination is a common contract clauses (SCCs) that are to be included into contracts for processing data. However, this is cumbersome (for example, the English template SCCs are 40-50 pages long) and the existing SCC system only covers controller-to-controller and controller-to-processor data transfers. The EC did publish a draft proposal for revised SCCs in November 2020 which also covers processor-to-controller and processor-to-processor transfers, but until these are formally adopted by the EC, they don’t have the legal force of the existing SCCs.
At the moment, the main message appears to be to stay calm and carry on.
On the 21st of June 2021 the European Council has signed off on an agreement post-Brexit on data adequacy that has been signed with the UK to ensure that data exchanges are maintained between EU with the UK. See https://www.research-live.com/article/news/ukeu-data-adequacy-agreement-ratified/id/5085262