The period in the run up to the UK-EU Trade and Cooperation Agreement being agreed was a highly uncertain time for businesses for many reasons, not least from a data protection perspective. A “no-deal” Brexit would have meant that the free flow of personal data between the UK and EU, which many businesses have come to rely on, would have been stopped in its tracks.
In the event of a no-deal Brexit, the UK would have immediately become a “third country” under the General Data Protection Regulation (GDPR). This would have meant that, in order for EU businesses to lawfully transfer personal data to the UK, additional safeguards (such as the standard contractual clauses) would have been required. For businesses already contending with another period of lockdown, the disruption caused by this additional administrative exercise could have been very damaging.
Fortunately (from a data protection perspective) the UK and EU agreed to the Trade and Cooperation Agreement and spared businesses from this burden – at least for the time being.
The key points in relation to data protection that businesses should take away from the Trade and Cooperation Agreement are as follows:
- Personal data flows from the UK to the EU and EEA can continue uninterrupted on the same basis as they have done since the General Data Protection Regulation was introduced in May 2018. This is because the UK government has already determined that EEA countries (i.e. those in the EU, plus Iceland, Liechtenstein and Norway) have adequate data protection regimes (although this is to be kept under review).
- An interim bridging period has been agreed, meaning that personal data flows from the EU to the UK can continue for now. The Trade and Cooperation Agreement provides for an initial period of 4 months during which the UK Government can attempt to obtain a decision from the European Commission confirming that the UK provides adequate protection for personal data (this is known as an “adequacy decision”). If more than 4 months is needed, this period can be extended to 6 months unless either side objects. It should also be noted that this period can be cut short if the UK decides to amend its data protection legislation to deviate from the rules under the GDPR.
In view of the above, if the European Commission grants an adequacy decision for the UK before the end of the interim period, transfers of personal data from the EU to the UK will be able to continue indefinitely without additional safeguards being required.
Conversely, if the European Commission does not grant an adequacy decision for the UK in the interim period, transfers of personal data from the EU to the UK will need to be accompanied by additional safeguards. The additional safeguards required in these circumstances would be the same as required when transferring personal data to another non-EEA country under the GDPR and may include standard contractual clauses or binding corporate rules.
Given that the UK has already adopted the GDPR, the UK and EU data protection regimes are currently almost identical (for the time being at least – see below). As such, it is hoped that the EU will grant an adequacy decision to give longer-term certainty in relation to data transfers from the EEA to the UK. However, adequacy is not guaranteed and it is expected that the European Commission may have concerns around the UK’s retention and use of data for national security purposes.
Alongside the implications of the Trade and Cooperation Agreement, it is also worth noting that:
- As the GDPR has now been adopted into UK law (the “UK GDPR”), businesses remain responsible for complying with data protection principles as if the UK was still in the EU. However, if the EU decides to update or amend the GDPR, any changes would not automatically be incorporated in the UK GDPR – we would have to adopt those changes separately – so the data protection regimes in the UK and EU could diverge in future.
- Businesses may need to consider if the references to “GDPR” in their contracts and data protection policies need to be updated.
- The concerns in relation to transferring personal data to the USA have not changed (following the decision of the European Court of Justice to declare the EU-US Privacy Shield invalid – see our article here). Extra care should be taken and legal advice may be necessary if your business is transferring personal data to the USA.
If your business is likely to be affected by the issues raised above, the Data Protection Team at Leathes Prior would be happy to assist and provide advice on meeting your data protection obligations. Contact Jack Horwitz or Alex Saunders in the team by calling 01603 610911 or emailing firstname.lastname@example.org.