On 30 December, with 24 hours to spare, the EU and UK signed a Trade and Cooperation Agreement, setting out their future relationship following Brexit.
Trumpeted as the most comprehensive international trade deal ever reached, the 1246 page Brexit Deal Agreement effectively keeps the status quo on personal data transfer for a six month bridging period. This allows organizations to continue freely transferring such data from the EU to the UK, while the EU takes a decision on whether to grant the UK longer term adequacy status.
Pessimists might see this solution as merely kicking the can down the road, but, at the risk of mixing metaphors, there seems to be light at the end of this particular tunnel with a positive adequacy decision likely before the parties run out of bridge.
What does the Brexit Deal say about data protection?
Although comprehensive and detailed in dealing with numerous aspects of trade in goods, transport, social security, law enforcement, judicial cooperation, health security and cybersecurity, the Brexit Deal Agreement is notably succinct in its treatment of data protection.
Data protection doesn’t even get a mention of substance for over 100 pages, until the section on digital trade where the parties recognize that ‘individuals have a right to the protection of personal data and high standards in this regard contribute to trust in the digital economy’.
Nearly all the subsequent references to personal data in the Brexit Deal Agreement are requirements for UK and EU institutions to apply data protection law as part of their cooperation in various fields such as law enforcement, until the last section, Part Seven, ‘Final Provisions’. Here, finally, the Brexit Deal Agreement addresses the issue businesses in at least 30 countries have been grappling with: how to lawfully transfer personal from the EU to the UK once the UK becomes a third country on 1st January 2021?
The solution is simple and is set out in Final Provision 10A: Interim provision for transmission of personal data to the United Kingdom. This provides thattransferring personal data from the EU into the UK won’t be considered as transfer to a third country during a bridging period. In other words, during that period it will still be regarded as a transfer within the EU.
How Long is the Bridging Period?
The bridging period ends on the earlier of the date on which the EU grants the UK adequacy status and 30th June 2021, provided that either party can object up to 30 April ending it on that date.
The solution has a number of safeguards for the EU. The bridging period will only apply so long as:
If the UK makes such a change or exercises a power without the EU’s agreement, the Bridging Period automatically ends.
Cynics might argue that now the EU has its deal, the UK having already determined that the EU is adequate for transfers of data from the UK, the EU does not need to grant the UK adequacy status during the Bridging Period.
However, the received wisdom is that an adequacy decision is now likely. It was never going to be made before a Brexit deal and given the last minute nature of that deal, there was never going to be enough time to have it in place simultaneously.
The Bridging Period therefore seems the optimal solution. The UK’s Information Commissioner certainly seems to think so, commenting “This is the best possible outcome for UK organizations processing personal data from the EU… organizations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”
The Information Commissioners Office, the ICO, nevertheless urges caution, stating “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU organizations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.”
Despite that warning, everything points to an adequacy decision. Within the Brexit Deal Agreement the Digital Trade section states that the Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. More specifically, the EU and UK published Annexes to the Brexit Deal Agreement. Annex 3 concludes with a declaration: ‘the Adoption of Adequacy Decisions with respect to the United Kingdom’, in which the parties note the European Commission’s intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK under the GDPR.
Hints do not get much better than that and, barring unforeseen events, we should expect to see the UK given an adequacy decision before June. This will facilitate the free transfer of personal data between the EU and UK for next few years at least, barring a successful Schrems-like challenge.
Over the coming months, organizations can continue to freely transfer personal data between the EU and UK, in both directions, as before, and do not need to undertake the burden of carrying out adequacy assessment and putting in place the standard contract clauses.
From a GDPR standpoint, the main change brought about by Brexit will be the need for organizations not established in either the UK or the EU to appoint data protection representatives in the region(s) where they are not established. This is a relatively simple exercise.
Finally, organizations should look out for news of the EU adopting an adequacy decision for the UK, before June.
Follow Locke Lord’s Brexit Blog for the latest updates, commentary and analysis and the potential legal implications that may affect businesses, whether in the UK or abroad.
Sign up for our newsletter and get the latest to your inbox.