This article was originally published in Information Security Buzz and can be accessed here.
Personal data and the EU-UK trade deal – One month in
Data protection post-Brexit was not the most polarising subject facing EU and UK trade deal negotiators last year. It was, however, of fundamental importance for both sides to agree a framework.
Whether this was achieved in the resulting Trade and Cooperation Agreement is subjective – the data provisions in the Agreement provide some degree of short-term certainty for businesses and organisations, but the long-term arrangements are yet to be settled.
Under the Trade and Cooperation Agreement, data has continued to flow from the EU and EEA to the UK since 1 January 2021. This is because the Agreement allows for an interim “specified period” during which the existing data protection regime continues as the status quo. Data is continuing to flow from the UK to the EU and EEA, but this was a UK decision and was not addressed in the Agreement.
The specified period will last for four months from 1 January 2021, but the EU and UK can agree to extend the period by a further two months. This time is needed because an “adequacy decision” has not yet been made by the European Commission. As the UK is now a third country from the EU’s perspective, an adequacy decision reflects whether the EU considers the UK’s data protection regime to be sufficiently similar, or equivalent, to the EU’s data protection regime.
The Trade and Cooperation Agreement anticipates two possible outcomes in relation to the adequacy decision. The first possible outcome is that an adequacy decision will be made within the specified period. This is the preferred outcome for pragmatic reasons, as the result of an adequacy decision will be that personal data can continue to flow from the EU and EEA to the UK without additional measures being introduced. The foregoing will apply for so long as neither jurisdiction substantively changes its legislation because an adequacy decision would be regularly reviewed and could be revoked.
The second possible outcome is that the specified period will end – on 30 June 2021 at the very latest, if the EU and UK agree to the maximum length of extension – without an adequacy decision being made by that time. In this scenario, data would still flow to the UK but be subject to new legal and administrative requirements. For example, UK businesses which trade with entities in the EU or EEA will need to enter into specific new contracts with their EU contacts. These contracts will contain EU-approved Standard Contractual Clauses, the purpose of which is to establish that the contracting UK business has adequate data protection standards.
There is therefore genuine uncertainty surrounding the adequacy decision. The Information Commissioner’s Office (ICO) recommends that UK businesses that are currently involved in relevant data flows into the EU or EEA, or may be involved in such activity in the future, make precautionary arrangements during the next few months in case an adequacy decision is not made. For UK businesses with no customers or contacts in the EU or EEA, precautionary measures are not necessary.
For UK businesses receiving, or likely in the future to receive, personal data from EU and EEA entities, precautions are recommended but the specific preparations will depend on the size and type of a business. Some preparations should be undertaken in any event as part of compliance with existing data protection laws (namely the GDPR, now called the UK GDPR).
Businesses should map where their personal data is coming from. Data mapping should involve identifying the specific EU or EEA country or countries where the data is being transferred from or to, and whether this might change in the future. Questions to then ask include how is the data processed (processing is a broad term and encompasses the obtaining, recording, storing, updating and sharing of data) and who is responsible for it?
As mentioned earlier, Standard Contractual Clauses should be considered and incorporated in to relevant existing and future documentation if appropriate. The Standard Contractual Clauses are standards terms and conditions that serve to protect personal data that flows from the EU or EEA to a third country – which the UK became on the 1 January 2021 – when a third country does not benefit from an adequacy decision. The EU has approved the wording of the clauses and the ICO strongly recommends their use as a safeguard for maintaining the flow of personal data in the event of no adequacy decision.
In addition, businesses should consider the extent of any personal data acquired from the EU or EEA before 1 January 2021. This is called ‘legacy data’. It is important to establish this type of data because, in the event of no adequacy decision, that data will continue to be subject to the EU’s GDPR, rather than the UK’s GDPR, which came into force on 1 January 2021. If there is an adequacy decision, legacy data will not be subject to the EU’s GDPR.
The prospect of several more months of waiting for a view on the adequacy decision is not ideal. Yet the Trade and Cooperation Agreement records that the EU and UK “affirm their commitment to ensuring a high level of personal data protection”. Such wording reflects the fact that historic alignment, up to 1st January 2021, evidences mutual acknowledgement that each jurisdiction already has a high level of personal data protection and, that absent any changes in legislation on either side, each jurisdiction should view the other’s data protection regime favourably.