To bring this back to the topic at hand:
FB moving UK users to US means UK GDPR and exceptions / specifics in the DPA 2018 will apply.
Key Qs: How will that diverge from EU? Post-transition ability / appetite to enforce? Legal backstop if enforcement absent or ineffective? https://twitter.com/TrialByTruth/status/1339139332188286979
FB moving UK users to US means UK GDPR and exceptions / specifics in the DPA 2018 will apply.
Key Qs: How will that diverge from EU? Post-transition ability / appetite to enforce? Legal backstop if enforcement absent or ineffective? https://twitter.com/TrialByTruth/status/1339139332188286979
Bear in mind that the government views UK’s ability to diverge on Data Protection as a competitive advantage. https://twitter.com/TrialByTruth/status/1338775463263690755?s=20
In contract terms, if your business has any dealings with EU residents and leverages FB as part of user interaction (that includes pretty universal FB cookies and trackers you need to check for) you will need to consider Schrems II and however UK lands on US adequacy
If US continues to be a 3rd country for EU and UK, if personal data will be transferred to, monitored by, or accessed from US, you need Standard Contractual Clauses in and whatever EU and UK deem adequate supplementary measures.
How much is enough? Entirely context specific.
How much is enough? Entirely context specific.
EDPB guidance on supplementary measures (consultation ends 21st Dec) https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en
Recommendations on assessing "essential equivalence" of destination country controls https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en
and draft of new EU SCCs https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741 consultation finished.
Recommendations on assessing "essential equivalence" of destination country controls https://edpb.europa.eu/our-work-tools/our-documents/recommendations/edpb-recommendations-022020-european-essential_en
and draft of new EU SCCs https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741 consultation finished.
Existing SCCs that are approved by the ICO, remain valid for a year. If necessary use them as the new ones won't be in place for 1st Jan. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#ib6
To prep do a Transfer Impact Assessment to confirm scope (see previous tweet for details in EDPB guidance.
To prep do a Transfer Impact Assessment to confirm scope (see previous tweet for details in EDPB guidance.
UK isn't expected to diverge significantly from EU benchmarks initially.
However, if the UK breaks from EU to offer the US a Privacy Shield-ish adequcy compromise, this will all change.
However, if the UK breaks from EU to offer the US a Privacy Shield-ish adequcy compromise, this will all change.