News

Richard Baxter and Hannah Solel examine data protection post-Brexit in Information Security Buzz

  • February 12, 2021
  • By Richard Baxter, Partner and Hannah Solel, Trainee Solicitor

This article was originally published in Information Security Buzz and can be accessed here

Personal data and the EU-UK trade deal – One month in

Data protection post-Brexit was not the most polarising subject facing EU and UK trade deal negotiators last year.  It was, however, of fundamental importance for both sides to agree a framework.

Whether this was achieved in the resulting Trade and Cooperation Agreement is subjective – the data provisions in the Agreement provide some degree of short-term certainty for businesses and organisations, but the long-term arrangements are yet to be settled.

Under the Trade and Cooperation Agreement, data has continued to flow from the EU and EEA to the UK since 1 January 2021. This is because the Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo. Data is continuing to flow from the UK to the EU and EEA, but this was a UK decision and was not addressed in the Agreement.

The specified period will last for four months from 1 January 2021, but the EU and UK can agree to extend the period by a further two months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision reflects whether the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime.

The Trade and Cooperation Agreement anticipates two possible outcomes in relation to the adequacy decision. The first possible outcome is that an adequacy decision will be made within the specified period. This is the preferred outcome for pragmatic reasons, as the result of an adequacy decision will be that personal data can continue to flow from the EU and EEA to the UK without additional measures being introduced. The foregoing will apply for so long as neither jurisdiction substantively changes its legislation because an adequacy decision would be regularly reviewed and could be revoked.

The second possible outcome is that the specified period will end – on 30 June 2021 at the very latest, if the EU and UK agree to the maximum length of extension – without an adequacy decision being made by that time. In this scenario, data would still flow to the UK but be subject to new legal and administrative requirements. For example, UK businesses which trade with entities in the EU or EEA will need to enter into specific new contracts with their EU contacts. These contracts will contain EU-approved Standard Contractual Clauses, the purpose of which is to establish that the contracting UK business has adequate data protection standards.

There is therefore genuine uncertainty surrounding the adequacy decision. The Information Commissioner’s Office (ICO) recommends that UK businesses that are currently involved in relevant data flows into the EU or EEA, or may be involved in such activity in the future, make precautionary arrangements during the next few months in case an adequacy decision is not made. For UK businesses with no customers or contacts in the EU or EEA, precautionary measures are not necessary.

For UK businesses receiving, or likely in the future to receive, personal data from EU and EEA entities, precautions are recommended but the specific preparations will depend on the size and type of a business. Some preparations should be undertaken in any event as part of compliance with existing data protection laws (namely the GDPR, now called the UK GDPR).

Businesses should map where their personal data is coming from. Data mapping should involve identifying the specific EU or EEA country or countries where the data is being transferred from or to, and whether this might change in the future. Questions to then ask include how is the data processed (processing is a broad term and encompasses the obtaining, recording, storing, updating and sharing of data) and who is responsible for it?

As mentioned earlier, Standard Contractual Clauses should be considered and incorporated in to relevant existing and future documentation if appropriate. The Standard Contractual Clauses are standards terms and conditions that serve to protect personal data that flows from the EU or EEA to a third country – which the UK became on the 1 January 2021 – when a third country does not benefit from an adequacy decision. The EU has approved the wording of the clauses and the ICO strongly recommends their use as a safeguard for maintaining the flow of personal data in the event of no adequacy decision.

In addition, businesses should consider the extent of any personal data acquired from the EU or EEA before 1 January 2021. This is called ‘legacy data’. It is important to establish this type of data because, in the event of no adequacy decision, that data will continue to be subject to the EU’s GDPR, rather than the UK’s GDPR, which came into force on 1 January 2021. If there is an adequacy decision, legacy data will not be subject to the EU’s GDPR.

The prospect of several more months of waiting for a view on the adequacy decision is not ideal. Yet the Trade and Cooperation Agreement records that the EU and UK “affirm their commitment to ensuring a high level of personal data protection”.  Such wording reflects the fact that historic alignment, up to 1st January 2021, evidences mutual acknowledgement that each jurisdiction already has a high level of personal data protection and, that absent any changes in legislation on either side, each jurisdiction should view the other’s data protection regime favourably.

Related News

Feb 19, 2021
Stephen Morrall comments on Uber losing a landmark Supreme Court battle in the Evening Standard and the Financial Times
Feb 05, 2021
Budget 2021 – Still time to prepare for any changes to Business Asset Disposal Relief
Jan 13, 2021
Stephen Morrall and Hannah Solel discuss the gig economy in 2021 in Employee Benefits
Jan 11, 2021
Richard Baxter and Hannah Solel provide a legal update on data protection in 2021
Jan 06, 2021
Stephen Morrall comments on unfair dismissal in Real Business
Dec 14, 2020
Hunters strengthens its Business team with new arrival
Jun 25, 2020
Stephen Morrall and Philippa Kum discuss witnessing a deed remotely
Jun 01, 2020
Amanda Lathia examines the legal challenges of returning to work during the post-COVID-19 lockdown in WealthBriefing
May 15, 2020
Amanda Lathia comments on returning to work during the pandemic
May 14, 2020
Petra Warrington and Stephen Morrall discuss private schooling during the Coronavirus lockdown in WealthBriefing

© Hunters Law LLP 2021 | Privacy NoticeLegal & Regulatory | Cookies Policy | Complaints Procedure.

Hunters Law LLP is authorised and regulated by the Solicitors Regulation Authority (number 657218)

WARNING: Website falsely claiming to be Hunters Law

4 March 2021

The website 'hunterslawllp.com' is operating, falsely claiming to be Hunters Law. This website has been created to mirror the genuine site, although contact details including telephone number and email addresses have been changed, and the SRA verification badge does not work.

We have also been made aware of a series of faxes circulating, purporting to come from ‘barrister’ Dominik Opalinski, advising of an unclaimed inheritance of $16.95M, which feature the same website address. Dominik is a genuine partner of the firm, but is not a barrister.

We have reported this to the SRA, and contacted the website domain hosts to request its urgent removal. If you receive correspondence of a similar nature to that described, please contact us directly by reliable and established means.