After eight months of negotiations, the EU–UK trade deal – or more properly, the EU–UK Trade and Co-operation Agreement (“TCA”) – was signed on 30 December 2020. The agreement sets out the framework of the EU–UK relationship now that the UK is no longer a member state. It began to be applied on 1 January 2021, when the Brexit transition period ended.
So, how does the new TCA affect data protection law compared to how things stood when the UK was still a member of the EU?
International data transfers
Before the TCA was agreed, the UK was due to become a “third country” for the purposes of international data transfers from member states of the European Economic Area (“EEA”) to the UK, under the General Data Protection Regulation (“GDPR”). This meant that the transfer of personal data from EEA states into the UK was not allowed without additional safeguards in place (such as standard contractual clauses (“SCCs”)). Transfers would only have been possible if the UK achieved the EU’s required adequacy status before the end of the Brexit transition period.
However, the TCA provides a temporary reprieve in relation to international data transfers. Its provisions enable the previous Brexit transitional arrangement to continue (i.e. personal data can continue to flow from the EEA to the UK) for a further interim period of initially four months (but a reprieve in total of up to six months) as long as the UK makes no major changes to its data protection laws and does not, during that time, make its own adequacy decisions or publish its own SCCs and so on.
For data flowing from the UK to the EEA, the UK government has already announced that it intends to regard all EEA member states as adequate for the purposes of such transfers.
This six-month “bridging mechanism” (as the UK government has dubbed it) seems intended to give the EU Commission time to consider making an adequacy decision in respect of the UK that would permit free flow of personal data from the EEA to the UK.
Such an adequacy decision is a separate process from the trade deal and has been under separate consideration by the EU Commission throughout 2020 and into 2021. Although UK adequacy is hoped for, it is by no means guaranteed. In a meeting of the European Parliament on 14 January 2021, Bruno Gencarelli, Head of Data Flows and Protection at the European Commission, laid out the hoped-for schedule. He stated, “We are now finalising our assessment and we will trigger the decision-making process in the coming weeks … The first step is seeking the opinion of the European Data Protection Board. The objective is to finalise this process within the period created by this interim arrangement of the four-plus-two months.”
There are clearly elements of the UK’s data-processing regime that may cause the EU Commission concern; consider, for example, the recent Court of Justice of the European Union (“CJEU”) cases regarding UK national security processing. In addition, there has already been discussion of the possibility of challenges being made to any adequacy decision reached in relation to the UK. This would echo the complaints that ultimately saw the decisions in relation to the US Safe Harbor scheme and then the US Privacy Shield invalidated. Controllers and processors relying on UK adequacy in future will therefore have to bear in mind the possibility that any EU adequacy decision may be challenged or revoked.
The current advice from the UK government is: “As a sensible precaution, during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data. For most organisations, the most relevant of these will be Standard Contractual Clauses (SCCs).” By following this advice, businesses can help to protect against any interruption to data flows if the European Commission does not end up adopting an adequacy decision during the six-month bridging mechanism.
More detailed guidance on what actions might be necessary is also available from the Information Commissioner’s Office (“ICO”) and the European Data Protection Board (“EDPB”).
Other things to consider
It is important to note that the six-month bridging mechanism only applies in relation to international data transfers. Organisations should also consider other GDPR Brexit compliance actions now, including:
- Updating internal policies, privacy notices and DPIAs.
Both UK and EU organisations are likely to need to amend their policies, privacy notices and new and existing data protection impact assessments (“DPIAs”) to reflect the UK relinquishing its status as a member state.
If you’d like some help with this task, we’ve helped many of our clients to draft and amend their policies and procedures, privacy notices and DPIAs, so please get in touch.
- Appointing an EU or UK representative.
UK-based controllers or processors that offer goods or services to individuals who are based in the EU (or monitor their behaviour) may need to appoint an EU representative.
The same rule applies in reverse, so EU-based controllers or processors may need to appoint a UK representative too.
- Readying for a change in interactions with European data protection authorities.
Under the GDPR’s one-stop-shop mechanism, the ICO has been the lead supervisory authority in the EU for UK organisations. This enabled organisations to deal with only one authority in the EU. So, for example, a UK organisation that had customers in the UK, France and Spain would only have needed to deal with one of the authorities of those states.
However, now that the UK is no longer an EU member state, the situation has changed. In our example, the same UK organisation will need to deal with the UK authority (the ICO), plus potentially both of the authorities in France and Spain.
Organisations should consider their international operations and work out which data protection authorities may have jurisdiction over any relevant data processing, and therefore whether there is any additional compliance risk involved.
- Confirmation of your BCRs by the ICO.
Arrangements for binding corporate rules (“BCRs”) will change too. For new applications, the ICO has introduced UK BCRs to enable transfers of data from the UK. Those organisations that have existing authorised BCRs must apply to the ICO to obtain confirmation that they will be automatically eligible for UK BCRs.
With the granting of adequacy by the European Commission being far from a given, the EDPB, ICO and UK government are also emphasising that organisations must ensure that technical and other compliance measures (such as SCCs) are in place in good time.
If you would like some help steering your organisation through these post-Brexit waters or ensuring compliant international data transfers, please get in touch.