The Trade and Cooperation Agreement (“the Agreement”) between the EU and the UK contains good news for data protection practitioners. The free flow of data between the EEA[1] and the UK can continue after the end of 2020. This is extremely welcome. Recent research showed that the cost of having to put in place alternative transfer mechanisms could have cost UK businesses £1.6bn.[2] The free flow of data can also continue for transfers for law enforcement purposes. This is crucial. Ensuring that data can continue to be shared for preventing and detecting criminal activity is vital for the security of citizens on both sides of the Channel.
What about EU adequacy for the UK?
Adequacy decisions for the UK under the GDPR and the Law Enforcement Directive (“LED”)[3] have not yet been conferred. Instead, the Agreement creates a “bridging mechanism” to enable the free flow of data until such time as adequacy decisions under the GDPR and the LED can be put in place.
What will the procedure be for conferring adequacy on the UK?
The adoption of an adequacy decision entails: (1) a proposal from the European Commission, (2) an opinion from the European Data Protection Board (“EDPB”), (3) approval from representatives of the EU Member States, and finally (4) the adoption of a decision by the Commissioners.
When can we expect adequacy?
The bridging mechanism lasts for up to six months after 1st January 2021. The references to adequacy decisions for the UK don’t absolutely guarantee that they will be conferred, but it would be surprising if they were not. The Agreement paves the way for adequacy.
Adequacy and the wider context
There is also a wider context to consider. The UK is a departing EU Member State. To suggest that the UK is not adequate would set the bar for adequacy impossibly high. It could create substantial difficulties for the EU in conferring new adequacy decisions (for example on South Korea or on certified US companies under any replacement for Privacy Shield). It could also prove a barrier to continuing existing adequacy decisions.[4] These are currently being reviewed by the European Commission.[5] Without adequacy, substantial extra compliance burdens would arise for EU businesses who transfer data to the UK, at a time when many can ill afford it. The burden of transferring data to third countries in the absence of an adequacy decision has increased following the Schrems II case. For example, transfer impact assessments require companies to conduct “mini adequacy assessments” of countries to which data is transferred, using the same criteria as the European Commission when conferring adequacy decisions.[6] That means assessing the data protection framework in the third country as well as its international commitments and respect for the rule of law, access to justice and international human rights norms (see Article 45(2) of the GDPR). These are complex considerations and particularly difficult for SMEs to comply with. Adequacy for the UK means that this work does not have to be done. Data can be transferred freely, as it is at the moment.
Does the Agreement look to what happens if the UK loses its adequacy decision either under the GDPR or the LED?
There has been much speculation about any adequacy decision in favour of the UK being challenged, and potentially being declared invalid by the Court of Justice of the European Union (“CJEU”), as happened with Safe Harbor [7] and Privacy Shield [8]. The Agreement foresees this. In a non-law enforcement context the Partnership Council [9] which supervises the operation of the Agreement is able to make recommendations to the Parties regarding the transfer of personal data in areas covered by the Agreement or any supplementing agreement. This provision potentially allows difficulties to be dealt with before they cause disruption. Alternatively this could assist in providing a political solution in the event that the CJEU invalidates the UK adequacy decision. This is helpful and may avoid the situation which businesses found themselves in after the invalidation of Safe Harbor and Privacy Shield, where they were largely left to pick up the pieces (as well as the cost of putting in place new mechanisms).
The law enforcement provisions in the Agreement contain explicit clauses dealing with the invalidating of adequacy. The Agreement states that where there are serious or systematic deficiencies “within one party” including where they have led to “a relevant adequacy decision ceasing to apply”, the Agreement enables certain provisions in the law enforcement context to be suspended. At this point the Partnership Council can explore possible ways of allowing the party that notified the suspension to postpone its entry into effect, to reduce its scope or to withdraw it. This has the potential to cause tension between the CJEU’s assessment of adequacy and the Partnership Council’s approach. However, it mitigates the risk of losing the adequacy decision in a law enforcement context by allowing a solution to be found. This is a welcome innovation.
Will adequacy be affected if the UK shares data with the US in a law enforcement context?
Commentators had thought that onward transfers of EU data from the UK to the US in a law enforcement context might create difficulties in terms of the UK gaining EU adequacy. This was something raised in correspondence between the EDPB and the European Parliament.[10] However, the Agreement addresses the onward transfer of data shared for law enforcement purposes. For example, law enforcement authorities are prohibited from making onward transfers without obtaining consent of whichever authority provided the information and without appropriate safeguards regarding the protection of personal data. [11] This would appear to deal with the concerns raised by the EDPB.
Does the end of the transition period mean any changes as regards data protection in the UK?
The GDPR won’t apply to the UK after the end of 2020. Instead, the GDPR will be saved into UK domestic law [12]. It will fall within the new category of law created by the European Union (Withdrawal) Act 2018 known as “retained EU law”.[13] It will be renamed the UK GDPR.[14] This means that for the most part UK data protection law will be the same as data protection law in the EU.[15] Although the UK GDPR enables the UK to make its own data protection “innovations” such as conferring UK adequacy decisions on third countries and developing new transfer mechanisms such “UK standard contractual clauses” these changes are unlikely to happen until after adequacy is conferred.[16] There may however be changes to the UK’s data protection framework during the period when the “bridging mechanism” is in force if these changes involve aligning UK law with EU data protection law. For example if the EU brings in new standard contractual clauses the UK may issue new clauses which mirror the EU clauses. [17]
What practical steps should be taken to comply with the UK GDPR?
Some of the practical steps which may need to be taken are as follows:
- The UK GDPR has extra-territorial scope. This means that the UK GDPR applies to controllers or processors who are not established in the UK but undertake processing activities related to the offering of goods or services to data subjects in the UK or the monitoring of their behaviour, so far as that behaviour takes place in the UK (see Article 3 of the UK GDPR). The UK GDPR states that controllers or processors who are caught by the extra-territorial provisions need to designate a representative in the UK (see Article 27 of the UK GDPR).
- EU companies which have a branch in the UK may be deemed to be established in the UK under Article 3(1) of the UK GDPR and may therefore be subject to the EU GDPR and the UK GDPR. UK companies trading with the EU may be subject to the GDPR. Where UK companies they are caught by the GDPR’s extra-territorial provisions they may be required to appoint a representative in the EU (see Article 3(2) and 27 of the GDPR).
- Contracts, policies and procedures need to be checked and may need to be amended to reflect the fact that the UK is no longer an EU Member State and is not subject to the GDPR (although individual companies in the UK may be subject to the GDPR, as set out above).
What does the Agreement say about regulatory cooperation? Will the ICO still be in the EDPB?
Although the Agreement does not enable the UK’s Information Commissioner’s Office (“ICO”) to take part in the EDPB, there are provisions which suggest that close cooperation between the ICO and EU Data Protection Authorities may take place in the future, including on enforcement. [18] It remains to be seen whether an agreement on this would be governed by Article 50 of the GDPR and UK GDPR or by an instrument which supplements the Agreement (see Article COMPROV.2 on supplementing agreements). The ability to supplement the agreement allows a deepening of the UK/EU partnership going forward, including in the area of data protection.
Is there any suggestion that the UK might be intending to lower its data protection standards?…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…