We first published this alert on 4 January 2021 and we’ve updated it since with some additional considerations.
In the final days of 2020, the UK and the EU hastily agreed a temporary deal to preserve the 2020 position on data transfers in the short term. The deal is part of a wider UK-EU Trade and Cooperation Agreement which came into effect on 31 December 2020. The data transfer aspects of the Agreement last for a maximum of 6 months.
This is a source of relief for many organisations that would have otherwise have had to rush to put in place additional safeguards to continue to transfer personal data to or from the UK. However, this does not mean that the issue has been resolved – the issues businesses face may just have been postponed.
What does the deal seek to achieve?
UK-EU Trade and Cooperation Agreement is essentially a stop-gap deal to help with the Brexit transition process. It’s a complex deal and is not just about data protection and GDPR. Other aspects of data are also dealt with in the Agreement including passenger name data, vehicle registration data and fishing data. The UK’s summary of the Agreement says in respect of the data protection aspects:
“[The Agreement] helps to facilitate the cross-border flow of data by prohibiting requirements to store or process data in a certain location… The Agreement confirms strong data protection commitments by both the UK and the EU, protecting consumers and helping to promote trust in the digital economy.”
The effect of the bridging mechanism is that the UK will not be considered a “third country” (outside the EEA) for the purposes of GDPR for a period of at least 4 months (meaning that transfers of data from the EEA to the UK will not be prohibited by GDPR during this period). A further 2-month extension is available if neither side objects.
In some respects there’s been little progress since the UK voted for Brexit and our alert in August 2018 outlined many of the issues (see https://www.corderycompliance.com/brexit-and-data-protection/). In fact there’s not been much progress since we first wrote on the topic in March 2016 – https://www.corderycompliance.com/brexit-and-gdpr/. There is however a little more clarity now on issues like Binding Corporate Rules (BCRs) from an EU perspective (see our alert here https://www.corderycompliance.com/edpb-and-bcr/).
The deal is good news for now in terms of ensuring that EEA-UK cross-border flows of data can continue whilst in the background the UK seeks an “adequacy” decision from the European Commission. The Commission has the power to decide that a third country (outside the EEA) has an adequate level of data protection, with the effect being that personal data can be sent from an EEA state to a third country without any further safeguard being necessary. As we’ve seen with the collapse of both Safe Harbor and Privacy Shield however those adequacy decisions can always be subject to court challenge.
That being said, if the UK does not manage to achieve “adequacy” in the meantime, it may mean organisations could again be facing a “no-deal” situation regarding data transfers in 4 or 6 months’ time.
What about GDPR?
GDPR no longer directly applies in the UK. However, in practical terms UK-based businesses will still be subject to GDPR in one of two ways:
- through the application of GDPR’s extra-territoriality provisions – which mean that UK companies with an EEA establishment or that target people in the EEA with goods, services or monitor them in certain ways will have to comply with GDPR; or
- by application of the Data Protection Act 2018 (DPA 2018) and by virtue of section 3 of the European Union (Withdrawal) Act 2018, which effectively bring GDPR’s provisions into UK law (the so-called UK GDPR).
You can find out more about the DPA 2018 here https://www.corderycompliance.com/client-alert-data-protection-act-2018/.
In the long term, there is scope for UK data laws to diverge from GDPR. However, as part of the negotiations with the EU the UK Government has committed to making no substantial changes during the interim 4 or 6 month period. Regrettably, given that this UK Government has been prepared to go back on its word previously, this commitment is not as certain as it should be.
What has been the response from the regulators?
The UK Information Commissioner, Elizabeth Denham said:
“This is the best possible outcome for UK organisations processing personal data from the EU…We will be updating the ICO guidance on our website to reflect the extended provisions and ensure businesses know what happens next.”
The ICO has also said:
“As a sensible precaution, before and during [the extension] period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.”
The EU’s Questions & Answers: EU-UK Trade and Cooperation Agreement document, amongst other things, explains the following in relation to the rationale for the deal and how this fits in with the UK’s pending adequacy decision:
“Will my data still be protected under the agreement?”
The Agreement also includes a commitment by the EU and UK to uphold high levels of data protection standards. In principle, where personal data are transferred, the transferring Party shall respect its rules on international transfers of personal data.
For law enforcement and judicial cooperation, high levels of data protection standards are essential. These are to be ascertained by adequacy decisions taken unilaterally by each side. On the EU side, this means decisions attesting that UK standards are essentially equivalent to the EU standards set out in the EU’s General Data Protection Regulation (GDPR) and Law Enforcement Directive, and that they respect specific additional data protection standards stemming from opinions of the EU Court of Justice.
The European Commission has been intensively working on its adequacy decisions for the UK since March. Once it is satisfied with the information received, the Commission will launch the adoption process without delay. The adoption of each adequacy decision requires an opinion from the European Data Protection Board (EDPB) and the green light from Member States (as part of a comitology procedure).
This means that there will be a time gap between the possible entry application of the Agreement and the adoption of the adequacy decisions. For this reason, a bridging solution has been found and inserted in the Agreement to ensure stability and continuity during that interim period.”
Could the deal be challenged or backed out of?
There are a few possible ways in which the deal could be compromised.
Firstly, the Schrems III decision confirmed the different approaches of data protection regulators across the EU. In the absence of an adequacy decision, and outside of any deal, they would have been required to make their own assessment of the UK’s adequacy, particularly in view of the UK’s mass surveillance legislation. An independently minded regulator, for example from Germany, could (in theory at least) decide to ignore the deal and impose stricter restrictions on data transfers to the UK if it had adequacy concerns.
In terms of data flows from the UK to the EEA, the UK Secretary of State has ordered that, after the end of the transition period, transfers of data from the UK to the EEA will be permitted on the basis of adequacy, and has recognised EU Commission adequacy decisions made before the end of the transition period. This is dealt with in The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. This will be kept under review.
The UK Government has come out all guns blazing in its Brexit guidance on personal data about its ability to do what it wants with its own data protection rules:
“The UK regained full autonomy over its data protection rules from 1 January 2021. The EU-UK Trade and Cooperation Agreement bridging mechanism for personal data (Part Seven, Article FINPROV.10A) operates on the basis of UK law, as it stands on 1 January, and with some restrictions on the UK’s use of international data transfer powers.
The provision includes mechanisms to enable the UK to make changes to its data protection regime or exercise international transfer powers, subject to mutual agreement, without affecting the bridging mechanism. The UK will have full autonomy over its data protection rules. The EU does not have the power to block changes to its framework or use of its powers. If the EU objects to changes, and the UK anyway makes them, the bridge will end.”
The EU’s Questions & Answers: EU-UK Trade and Cooperation Agreement document explains what would happen if the UK does not respect its commitments on fundamental rights and data protection:
“In addition to a specific dispute settlement mechanism[s], the agreement contains provisions on suspension and termination of the law enforcement and judicial cooperation part of the agreement, in case guarantees to protect human rights fundamental freedoms and personal data are no longer ensured, or in case of serious breach of an obligation under the Agreement.”
Despite the UK Government’s fighting words, this mechanism in effect binds the UK to the EU rules, and any significant divergence could result in the bridging mechanism being terminated. One also has to question how much a sensible, properly informed UK Government would actually want to rock the boat whilst the UK’s own adequacy decision is pending. It is also important to remember that UK data protection law is not a creation of GDPR. The UK has had data protection law in place since 1984.
Given the concerns which some have expressed about the operations of the UK security services in particular challenges cannot be ruled out (although arguably the bases for those concerns remain the same as before and have not increased as a result of the extension). However, by the time any case went to court, it may be a moot point if adequacy is granted to the UK unless the adequacy decision is also added for the court to adjudicate on (in the same way as Privacy Shield was added to the courts’ consideration of Standard Contractual Clauses (SCCs) in the Schrems III case). It is therefore more likely that there will be a legal challenge to any future adequacy decision.
What is the current status of transfers from the UK under the various transfer mechanisms?
The UK GDPR governs data transfers from the UK to other countries, including to the EEA. These UK transfer rules are equivalent to EU GDPR rules on data transfers. The main provisions:
- permit the transfer of personal data from the UK to the EEA and to any countries which, as at 31 December 2020, were covered by an European Commission adequacy decision;
- allow the UK Government to make its own adequacy decisions in relation to third countries and international organisations (the so-called ‘adequacy regulations’);
- permit the continued use of any EU SCCs, valid as at 31 December 2020, both for existing restricted transfers and for new restricted transfers; and
- permit some BCRs to transition into the UK regime.
The UK has the freedom to keep the rules under review and over time these rules may diverge from the EU GDPR rules. The EU’s rules may also change – for example the planned review of GDPR may seek to make some of EU GDPR’s provisions tougher including to deal with issues with facial recognition and AI. The next scheduled formal review of EU GDPR is in 2024.
New UK Information Commissioner
One slight complication may be the fact that the current Information Commissioner’s term also ends in July 2021 – that might be just as the temporary 6 month period comes to an end. As a result it might be that the appointment of a new Information Commissioner also becomes relevant to any consideration of UK adequacy. The current Information Commissioner has handed out 2 fines in the all-time top 5 highest GDPR fines. A weak candidate being appointed could be taken as a sign that the UK is not so serious about data protection enforcement.
What about “legacy data”?
‘Legacy data’ is essentially personal data that an organisation collected before 1 January 2021 about an individual living outside the UK as of 31 December 2020. Without an EU adequacy decision, EU GDPR as it was on 31 December 2020 (‘frozen GDPR’) applies to the processing of that legacy data.
If an adequacy decision is granted, can the UK change its data protection laws as it likes?
Not exactly. If an adequacy decision is granted to the UK, the UK’s ability to substantially amend its rules would be limited. The legal requirement is that there must be essential equivalence to the level of protection offered by EU GDPR. The rules do not have to be exactly the same but substantive changes may require the European Commission’s approval, or the adequacy decision could be revoked. Having said that there has been criticism in the past of some adequacy decisions – including the Canadian adequacy decision – and the European Commission has done little to look into those concerns.
What happens next?
It is important to remember that this is a temporary deal.
The EU and the UK will both now look at adequacy decisions again to protect data transfers under both GDPR and the Law Enforcement Directive. If secured by the end of the temporary period, free flow of personal data to the UK from the EEA will be able to continue uninterrupted.
However, given the lack of progress to date and the maximum 6 month period of protection in the Agreement, organisations will want to use this time wisely to prepare for a possible ‘no deal’ situation on data transfer in particular.
Businesses should still review their data transfers and make sure they have an interim solution and a plan for when the temporary deal ends. Issues to be addressed include the following:
- Mapping key data flows in and out of the UK.
- Identifying legacy data in your systems and considering ways of tagging this to ensure the correct rules are applied to that data should the UK GDPR rules diverge from the ‘frozen GDPR’ in future.
- Putting agreements in place to protect data transfers – even intra-company.
- Making sure the Schrems III double-due diligence test is done. You might want to start with new suppliers. You will then likely want to look at shoring up transfers to group companies and key existing providers (like global HR systems, payroll, sales management systems) which are the most critical to your operations. You can find out more about this double-due diligence test here https://bit.ly/pshielddead.
- Having a long-term strategy on data localisation. This might include changing the location of your servers for some critical data processing.
- Considering whether you need to appoint a Data Protection Representative in the EU and/or the UK. The Agreement does not seem to resolve this issue.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes template processes and procedures to deal with data rights requests and short films and other guidance. You can find out more about GDPR Navigator at www.bit.ly/gdprnav.
Cordery’s Brexit Impact Plan helps organisations prepare for the effects of Brexit for a fixed fee. There are details here https://www.corderycompliance.com/solutions/brexit-impact-plan/.
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/ and on Brexit related issues here https://www.corderycompliance.com/category/brexit/.
A summary of the EU-UK Cooperation Agreement is here https://bit.ly/3b0SmBI
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|