How will the Brexit deal affect data protection regulation and transfers of data between the UK and the EU? This article takes a first look.
The EU-UK Trade and Cooperation Agreement (the 'Deal') is sparse on detail on data however crucially it does grant pseudo adequacy to the UK for a period of four months (which can be extended to six months) from 1 January 2021 to allow the European Commission more time to make its formal Adequacy Assessment under Article 45 GDPR.
Other issues (e.g. Lead Supervisory Authorities) regarding Data & Privacy and Brexit were already confirmed by the Withdrawal Agreement and remain unchanged.
Data transfers from the EEA to the UK
At page 406 in Article FINPROV 10A the Deal, in summary:
- Grants interim/pseudo 'adequacy' for 4 months (can be extended to 6 months) (EEA to U.K. data transfers during this period are not considered a transfer to a 'third country').
- During this period the UK cannot (broadly) change data laws as they stand at 31 December 2020 (it is unlikely this would have happened).
- This period can be ended sooner by decision of the European Commission on the UK's adequacy status.
A decision on adequacy is expected by the European Commission during this interim period.
As we have said before, on the black letter of Article 45 and the assessment process, the UK's data and privacy regime should be adjudged as adequate notwithstanding exaggerated concerns over the UK's surveillance regime. This surveillance regime was described by UN Special Rapporteur for Privacy, Joseph Cannataci, in 2018 as:
'...a legal framework ... designed to protect privacy without comprising security... I am satisfied that the UK systematically employs multiple safeguards which go to great lengths to ensure that unauthorised surveillance does not take place, and that when authorisation is sought it is granted only after the necessity and proportionality of the surveillance measures are justified on a case by case basis'.
But as ever there will be a political element to this so as we have said since the adequacy process started in February 2020, watch this space!
There will inevitably also be challenges from the usual suspects to any adequacy decision, and possibly even to this interim decision (although there is little time for that kind of interim challenge).
As the decision on a deal was taken so late before the deadline most business have thought about (or even put in place) measures to deal with the potential of the UK as a non-adequate third country regarding EEA data transfers (e.g. ensuring intra group sharing agreements pick up the UK via Standard Contractual Clause mechanism, as per any current sharing with Australia, Singapore, and the US to name but a few).
Some of these measures have been designed to happen automatically, but even if not, it should not be too much of a challenge to effect these in the event of no adequacy.
Data transfers from the UK to the EEA
The UK has already adjudged all members states within the EU, the EEA states and Switzerland as adequate. This will be reviewed in four years' time, but for now UK to EEA transfers are secure with no further work (subject to them being lawful, proportionate and necessary, and clients would be well advised to look at the ICO's helpful new code of practice on data sharing).
On page 118 in Article DIGIT 6 'Cross-border data flows', the Deal also sets out that both parties are committed to ensure cross-border flows of data, and that neither the UK or the EU should put in place any restrictive and protectionist physical data localisation requirements.
Article DIGIT 7'Protection of personal data and privacy' then recognises the importance of data & privacy for individuals, and the right of both the UK and EU to put in place measures to protect personal data and privacy including with respect to cross border transfers as long as any law provides for instruments enabling transfers under 'conditions of general application'.
A moot point if there is an adequacy decision, but if not, we will have to see how Article DIGIT 7 plays out in relation to the UK, Schrems ii and use of Standard Contractual Clauses and BCRs etc. Although again see above, if the UK cannot use SCCs in line with Schrems ii then we question what third country in the world can, and in this regard we quote the UN Special Rapporteur again who said in 2019 that:
'the significant reinforcement of the oversight mechanisms in the UK since 2016 and thus several best practices, including some pioneered by the UK, could be explored by the participants'.
Lead Supervisory Authorities and Representatives
The Deal changes nothing in relation to Lead Supervisory Authorities (LSAs) and EU/UK Representatives.
The position is still that from the Withdrawal Agreement and from 1 January 2021, the ICO will no longer be able to act as an LSA for the purposes of cross-border data issues under the GDPR regime. Businesses who currently regard the ICO as their LSA need to re-consider which EU supervisory authority will be their LSA going forward. If they cannot demonstrate a main establishment within the EU, they may not benefit from an EU-wide 'one stop shop' for their GDPR compliance. This is a disappointing and myopic (if not unexpected) decision from the European Commission and one that will be to the detriment of European and UK companies, and frankly EU data subjects, especially considering the ICO's reach, reputation and ability to handle serious data issues (in comparison to most of the other 27 Supervisory Authorities in the EU). Perhaps in the future this decision might change, so watch this space again.
UK-based controllers/processors without a suitable establishment in the EU may have to designate an EU-based representative for GDPR compliance purposes, and update documentation (e.g. privacy notices, records) as necessary (this would also apply to overseas businesses that had previously appointed an EU representative based in the UK). Similarly, EU based controller/processors need to consider the same issue regarding a UK based representative.
What actions can be taken?
Many of these actions will have already been taken but we repeat them again:
- Continue to map all data flows but especially EU to UK.
- Reword privacy notices where necessary to reflect the fact that the UK is no longer in the EU.
- Wait to see if the UK secures an adequacy decision in the nextfour to sixmonths, and consider alternative transfer mechanisms if this appears unlikely.
- Review your LSA and representative status and consider alternative locations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.