Publication

Bridge Over Troubled Water - Brexit Agreement Solves Issue of Data Transfer, for Now

Privacy & Cybersecurity Newsletter
Winter 2021

On 30 December, with 24 hours to spare, the EU and UK signed a Trade and Cooperation Agreement, setting out their future relationship following Brexit.

Trumpeted as the most comprehensive international trade deal ever reached, the 1246 page Brexit Agreement effectively keeps the status quo on personal data transfer for a six month Bridging Period. This allows organizations to continue freely transferring such data from the EU to the UK, while the EU takes a decision on whether to grant the UK longer term adequacy status.

Pessimists might see this solution as merely kicking the can down the road, but, at the risk of mixing metaphors, there seems to be light at the end of this particular tunnel with a positive adequacy decision likely before the parties run out of bridge.

What does the Brexit Agreement say about data protection?

Although comprehensive and detailed in dealing with numerous aspects of trade in goods, transport, social security, law enforcement, judicial cooperation, health security and cybersecurity, the Brexit Agreement is notably succinct in its treatment of data protection.

Data protection doesn’t get a mention of substance for over 100 pages, until the section on digital trade where the parties recognize individuals have a right to the protection of personal data and high standards in this regard contribute to trust in the digital economy. Encouragingly, this provision goes on to say that the Brexit Agreement doesn’t prevent a Party from adopting measures on the protection of personal data, including with respect to cross-border data transfers, provided its law allows transfers under conditions of general application for the protection of the data.

All subsequent references to data protection in the Brexit Agreement relate to UK and EU institutions respecting data protection in their cooperation in various fields, such as law enforcement, until its final provisions. Here, finally, the Brexit Agreement addresses the issue that businesses in at least 30 countries have been grappling with: how to lawfully transfer personal from the EEA to the UK once the UK becomes a third country on 1st January 2021?

The solution is simple and is set out in the Brexit Agreement’s FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom. This Final Provision provides that, during the Bridging Period, transfers of personal data from the EU into the UK won’t be considered as transfer to a third country.

The Bridging Period

The Bridging Period ends on the earlier of the date on which the EU grants the UK adequacy status or 30th June 2021, provided that either party could object on or before 30 April and end the Bridging Period on that date.

The solution has a number of safeguards. The Bridging Period will only apply if:

  • the UK makes no material changes to its data protection laws – which replicate the GDPR in all material respects – other than those required to align it with changes to GDPR or with which the EU agrees; and
  • the UK does not exercise designated powers without the EU’s agreement: these relate to making regulations and granting approvals and authorizations regarding data transfer.

If the UK makes such a change or exercises a power without agreement, the Bridging Period automatically ends.

Adequacy Decision

Cynics might argue that, now the EU has its deal, the UK having already determined that the EU was adequate for transfers from the UK, the EU does not need to grant the UK adequacy status during or following the Bridging Period.

However, for some time, the received wisdom has been that a Brexit deal is likely to lead to an adequacy decision, which since 19 February looks even more likely. An adequacy decision was never going to be made before the Brexit deal and, given its last minute nature, there was never going to be enough time to have an adequacy decision in place simultaneously with the Brexit Agreement.

The Bridging Period therefore seems the optimal solution. The Information Commissioner certainly seems to think so, commenting “This is the best possible outcome for UK organizations processing personal data from the EU… organizations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”

The ICO nevertheless maintains a cautious approach, stating “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU organizations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.

Despite that reservation, everything points to an adequacy decision. Within the Brexit Agreement, the Digital Trade section states that the Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. More specifically, the Annex 3 to the Brexit Agreement contains a declaration, the Adoption of Adequacy Decisions with respect to the United Kingdom, in which the parties note the European Commission’s intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK under the GDPR.

Even more compelling is the EU Commission’s conclusion on 19 February (after this article was originally written) that UK law and practice on personal data protection does ensure an equivalent level of protection to GDPR. If the European Data Protection Board agrees, the Commission will request approval from Member States' before adopting a final adequacy decision for the UK.

Barring unforeseen events, we should therefore expect to see a UK adequacy decision before June.

Conclusions

For now, organizations can continue to freely transfer personal data between the EU and UK, as before, and do not need to undertake the burden of carrying out adequacy assessment and putting in place the standard contract clauses.

The main change brought about by Brexit will be the need for organizations which are not established in either the UK or the EU to appoint a data protection representative, if subject to UK GDPR or EU GDPR. This is a relatively simple exercise.

In the meantime, organizations should keep a watching brief on the further progress of the UK’s adequacy decision.

AUTHORS
RELATED SERVICES
RELATED NEWS & EVENTS