Locations
The Trade and Cooperation Agreement (the Agreement) between the EU and the UK contains some good news for data protection practitioners.
The free flow of data between the EEA[1] and the UK can continue after the end of 2020. This is particularly welcome, since recent research showed the cost of having to put alternative transfer mechanisms in place could have cost UK businesses £1.6 billion.[2]
The free flow of data can also continue for transfers for law enforcement purposes. This is crucial, as ensuring data can continue to be shared to prevent and detect criminal activity is vital for the security of citizens in the EU and the UK.
What about EU adequacy for the UK?
Adequacy decisions for the UK under the GDPR and the Law Enforcement Directive (LED)[3] have not yet been conferred. Instead, the Agreement creates a "bridging mechanism" to enable the free flow of data until adequacy decisions under the GDPR and LED can be put in place.
What will the procedure be for conferring adequacy on the UK?
The adoption of an adequacy decision entails: (1) a proposal from the European Commission; (2) an opinion from the European Data Protection Board (EDPB); (3) approval from representatives of the EU Member States; and (4) the adoption of a decision by the Commissioners.
When can we expect adequacy?
The bridging mechanism lasts for up to six months after 1 January 2021. The references to adequacy decisions for the UK do not absolutely guarantee that they will be conferred, but it would be surprising if they were not, as the Agreement paves the way for adequacy.
Adequacy and the wider context
There is also a wider context to consider. The UK is a departing EU Member State, so to suggest the UK is not adequate would set the bar for adequacy impossibly high.
It could create substantial difficulties for the EU in conferring new adequacy decisions (for example on South Korea or on certified US companies under any replacement for Privacy Shield). It could also prove a barrier to continuing existing adequacy decisions.[4] These are currently being reviewed by the European Commission.[5]
Without adequacy, substantial extra compliance burdens would arise for EU businesses who transfer data to the UK, at a time when many can ill afford it. The burden of transferring data to third countries in the absence of an adequacy decision has increased following the Schrems II case. For example, transfer impact assessments require companies to conduct "mini adequacy assessments" of countries to which data is transferred, using the same criteria as the European Commission when conferring adequacy decisions.[6]
That means assessing the data protection framework in the third country as well as its international commitments and respect for the rule of law, access to justice and international human rights norms (see Article 45(2) of the GDPR). These are complex considerations and particularly difficult for SMEs to comply with.
Adequacy for the UK means that this work does not have to be done. Data can be transferred freely, as it is at the moment.
Does the Agreement look to what happens if the UK loses its adequacy decision under the GDPR or LED?
There has been much speculation about any adequacy decision in favour of the UK being challenged, and potentially being declared invalid by the Court of Justice of the European Union (CJEU), as happened with Safe Harbor[7]and Privacy Shield[8].
The Agreement foresees this. In a non-law enforcement context the Partnership Council[9], which supervises the operation of the Agreement, is able to make recommendations to the parties regarding the transfer of personal data in areas covered by the Trade and Cooperation Agreement, or any supplementing agreement.
This provision potentially allows difficulties to be dealt with before they cause disruption. Alternatively, this could assist in providing a political solution in the event that the CJEU invalidates the UK adequacy decision.
This is helpful and may avoid the situation businesses found themselves in after the invalidation of Safe Harbor and Privacy Shield, where they were largely left to pick up the pieces (as well as the cost of putting in place new mechanisms).
The law enforcement provisions in the Trade and Cooperation Agreement contain explicit clauses dealing with the invalidating of adequacy. The Agreement states that where there are serious or systematic deficiencies "within one party", including where they have led to "a relevant adequacy decision ceasing to apply", the Agreement enables certain provisions in the law enforcement context to be suspended.
At this point, the Partnership Council can explore possible ways of allowing the party that notified the suspension to postpone its entry into effect, to reduce its scope or to withdraw it. This has the potential to cause tension between the CJEU's assessment of adequacy and the Partnership Council's approach.
However, it mitigates the risk of losing the adequacy decision in a law enforcement context by allowing a solution to be found. This is a welcome innovation.
Will adequacy be affected if the UK shares data with the US in a law enforcement context?
Commentators had thought that onward transfers of EU data from the UK to the US in a law enforcement context might create difficulties in terms of the UK gaining EU adequacy. This was raised in correspondence between the EDPB and the European Parliament.[10]
However, the Agreement addresses the onward transfer of data shared for law enforcement purposes. For example, law enforcement authorities are prohibited from making onward transfers without obtaining consent of whichever authority provided the information and without appropriate safeguards regarding the protection of personal data.[11] This would appear to deal with the concerns raised by the EDPB.
Does the end of the transition period mean any changes as regards data protection in the UK?
The GDPR will not apply to the UK after the end of 2020. Instead, the GDPR will be saved into UK domestic law[12].
It will fall within the new category of law created by the European Union (Withdrawal) Act 2018 known as "retained EU law".[13] It will be renamed the UK GDPR[14]. This means that for the most part, UK data protection law will be the same as data protection law in the EU.[15]
Although the UK GDPR enables the UK to make its own data protection "innovations" such as conferring UK adequacy decisions on third countries and developing new transfer mechanisms such "UK standard contractual clauses" these changes are unlikely to happen until after adequacy is conferred.[16]
There may however be changes to the UK's data protection framework during the period when the "bridging mechanism" is in force if these changes involve aligning UK law with EU data protection law. For example if the EU brings in new standard contractual clauses the UK may issue new clauses which mirror the EU clauses.[17]
What practical steps should be taken to comply with the UK GDPR?
Some of the practical steps which may need to be taken are as follows:
What does the Agreement say about regulatory cooperation? Will the ICO still be in the EDPB?
Although the Agreement does not enable the UK's Information Commissioner's Office (ICO) to take part in the EDPB, there are provisions which suggest that close cooperation between the ICO and EU Data Protection Authorities may take place in the future, including on enforcement. [18]
It remains to be seen whether an agreement on this would be governed by Article 50 of the GDPR and UK GDPR, or by an instrument which supplements the Agreement (see Article COMPROV.2 on supplementing agreements). The ability to supplement the agreement allows a deepening of the UK/EU partnership going forward, including in the area of data protection.
Is there any suggestion that the UK might be intending to lower its data protection standards?
No – the Agreement specifically states that both the UK and the EU "affirm their commitment to ensuring a high level of personal data protection" and a willingness "to work together to promote high international standards".[19]
What does the Agreement say about data localisation[20]?
The Agreement sets out that the UK and the EU are committed to ensuring cross-border data flows to facilitate trade in the digital economy.[21]
There are provisions that state cross-border data flows should not be restricted between the EU and the UK by requiring the localisation of data in a party's territory for storage or processing. There had been concerns that the EU might be on a journey towards data localisation,[22] However, these provisions suggest that any such strategy does not apply at least insofar as data sharing between the EU and the UK is concerned.
Any other hints about the future direction of travel of UK data protection law?
The Agreement leaves open the possibility of providing sector-specific measures, including on cross-border transfers.[23] However, these are likely to compliment rather than cut across current standards.
The GDPR and the UK GDPR enable sector-specific approaches, for example under codes of conduct drawn up by associations and other bodies representing categories of controllers or processors.[24]
What about data flows from the UK to the EEA?
The UK has deemed the EEA to be adequate on a transitional basis.[25] That means that a free flow of data from the UK to the EEA can continue for a few years (likely to last until December 2024) by which time the UK will have conducted formal adequacy assessments of the EEA.
What about data flows from the UK to third countries?
Data flows from the UK to third countries can take place in the same way as before 1 January 2021. The UK GDPR and the Data Protection Act 2018 preserve the EU's transfers framework in UK domestic law.
The UK has kept the EU's existing adequacy decisions as a method of transferring data under the UK GDPR.[26] It has also kept the EU' standard contractual clauses as a transfer mechanism.[27]
Conclusion
The Agreement provides a stable basis for future EU-UK data flows, with scope for fast resolution of any issues regarding data transfers at a political level.
The emphasis on high data protection standards for both sides dispels concerns about the UK lowering its standard of protection. The emphasis on the importance of cross-border transfers and the avoidance of data localisation is decidedly internationalist.
The Agreement also provides for the UK and the EU to supplement its provisions with further agreements, opening the door for wide-ranging collaboration.
The free flow of data between the EEA[1] and the UK can continue after the end of 2020. This is particularly welcome, since recent research showed the cost of having to put alternative transfer mechanisms in place could have cost UK businesses £1.6 billion.[2]
The free flow of data can also continue for transfers for law enforcement purposes. This is crucial, as ensuring data can continue to be shared to prevent and detect criminal activity is vital for the security of citizens in the EU and the UK.
What about EU adequacy for the UK?
Adequacy decisions for the UK under the GDPR and the Law Enforcement Directive (LED)[3] have not yet been conferred. Instead, the Agreement creates a "bridging mechanism" to enable the free flow of data until adequacy decisions under the GDPR and LED can be put in place.
What will the procedure be for conferring adequacy on the UK?
The adoption of an adequacy decision entails: (1) a proposal from the European Commission; (2) an opinion from the European Data Protection Board (EDPB); (3) approval from representatives of the EU Member States; and (4) the adoption of a decision by the Commissioners.
When can we expect adequacy?
The bridging mechanism lasts for up to six months after 1 January 2021. The references to adequacy decisions for the UK do not absolutely guarantee that they will be conferred, but it would be surprising if they were not, as the Agreement paves the way for adequacy.
Adequacy and the wider context
There is also a wider context to consider. The UK is a departing EU Member State, so to suggest the UK is not adequate would set the bar for adequacy impossibly high.
It could create substantial difficulties for the EU in conferring new adequacy decisions (for example on South Korea or on certified US companies under any replacement for Privacy Shield). It could also prove a barrier to continuing existing adequacy decisions.[4] These are currently being reviewed by the European Commission.[5]
Without adequacy, substantial extra compliance burdens would arise for EU businesses who transfer data to the UK, at a time when many can ill afford it. The burden of transferring data to third countries in the absence of an adequacy decision has increased following the Schrems II case. For example, transfer impact assessments require companies to conduct "mini adequacy assessments" of countries to which data is transferred, using the same criteria as the European Commission when conferring adequacy decisions.[6]
That means assessing the data protection framework in the third country as well as its international commitments and respect for the rule of law, access to justice and international human rights norms (see Article 45(2) of the GDPR). These are complex considerations and particularly difficult for SMEs to comply with.
Adequacy for the UK means that this work does not have to be done. Data can be transferred freely, as it is at the moment.
Does the Agreement look to what happens if the UK loses its adequacy decision under the GDPR or LED?
There has been much speculation about any adequacy decision in favour of the UK being challenged, and potentially being declared invalid by the Court of Justice of the European Union (CJEU), as happened with Safe Harbor[7]and Privacy Shield[8].
The Agreement foresees this. In a non-law enforcement context the Partnership Council[9], which supervises the operation of the Agreement, is able to make recommendations to the parties regarding the transfer of personal data in areas covered by the Trade and Cooperation Agreement, or any supplementing agreement.
This provision potentially allows difficulties to be dealt with before they cause disruption. Alternatively, this could assist in providing a political solution in the event that the CJEU invalidates the UK adequacy decision.
This is helpful and may avoid the situation businesses found themselves in after the invalidation of Safe Harbor and Privacy Shield, where they were largely left to pick up the pieces (as well as the cost of putting in place new mechanisms).
The law enforcement provisions in the Trade and Cooperation Agreement contain explicit clauses dealing with the invalidating of adequacy. The Agreement states that where there are serious or systematic deficiencies "within one party", including where they have led to "a relevant adequacy decision ceasing to apply", the Agreement enables certain provisions in the law enforcement context to be suspended.
At this point, the Partnership Council can explore possible ways of allowing the party that notified the suspension to postpone its entry into effect, to reduce its scope or to withdraw it. This has the potential to cause tension between the CJEU's assessment of adequacy and the Partnership Council's approach.
However, it mitigates the risk of losing the adequacy decision in a law enforcement context by allowing a solution to be found. This is a welcome innovation.
Will adequacy be affected if the UK shares data with the US in a law enforcement context?
Commentators had thought that onward transfers of EU data from the UK to the US in a law enforcement context might create difficulties in terms of the UK gaining EU adequacy. This was raised in correspondence between the EDPB and the European Parliament.[10]
However, the Agreement addresses the onward transfer of data shared for law enforcement purposes. For example, law enforcement authorities are prohibited from making onward transfers without obtaining consent of whichever authority provided the information and without appropriate safeguards regarding the protection of personal data.[11] This would appear to deal with the concerns raised by the EDPB.
Does the end of the transition period mean any changes as regards data protection in the UK?
The GDPR will not apply to the UK after the end of 2020. Instead, the GDPR will be saved into UK domestic law[12].
It will fall within the new category of law created by the European Union (Withdrawal) Act 2018 known as "retained EU law".[13] It will be renamed the UK GDPR[14]. This means that for the most part, UK data protection law will be the same as data protection law in the EU.[15]
Although the UK GDPR enables the UK to make its own data protection "innovations" such as conferring UK adequacy decisions on third countries and developing new transfer mechanisms such "UK standard contractual clauses" these changes are unlikely to happen until after adequacy is conferred.[16]
There may however be changes to the UK's data protection framework during the period when the "bridging mechanism" is in force if these changes involve aligning UK law with EU data protection law. For example if the EU brings in new standard contractual clauses the UK may issue new clauses which mirror the EU clauses.[17]
What practical steps should be taken to comply with the UK GDPR?
Some of the practical steps which may need to be taken are as follows:
- The UK GDPR has extra-territorial scope. This means that the UK GDPR applies to controllers or processors who are not established in the UK but undertake processing activities related to the offering of goods or services to data subjects in the UK or the monitoring of their behaviour, so far as that behaviour takes place in the UK (see Article 3 of the UK GDPR). The UK GDPR states that controllers or processors who are caught by the extra-territorial provisions need to designate a representative in the UK (see Article 27 of the UK GDPR).
- EU companies which have a branch in the UK may be deemed to be established in the UK under Article 3(1) of the UK GDPR and may therefore be subject to the EU GDPR and the UK GDPR. UK companies trading with the EU may be subject to the GDPR. Where UK companies they are caught by the GDPR's extra-territorial provisions they may be required to appoint a representative in the EU (see Article 3(2) and 27 of the GDPR).
- Contracts, policies and procedures need to be checked and may need to be amended to reflect the fact that the UK is no longer an EU Member State and is not subject to the GDPR (although individual companies in the UK may be subject to the GDPR, as set out above).
What does the Agreement say about regulatory cooperation? Will the ICO still be in the EDPB?
Although the Agreement does not enable the UK's Information Commissioner's Office (ICO) to take part in the EDPB, there are provisions which suggest that close cooperation between the ICO and EU Data Protection Authorities may take place in the future, including on enforcement. [18]
It remains to be seen whether an agreement on this would be governed by Article 50 of the GDPR and UK GDPR, or by an instrument which supplements the Agreement (see Article COMPROV.2 on supplementing agreements). The ability to supplement the agreement allows a deepening of the UK/EU partnership going forward, including in the area of data protection.
Is there any suggestion that the UK might be intending to lower its data protection standards?
No – the Agreement specifically states that both the UK and the EU "affirm their commitment to ensuring a high level of personal data protection" and a willingness "to work together to promote high international standards".[19]
What does the Agreement say about data localisation[20]?
The Agreement sets out that the UK and the EU are committed to ensuring cross-border data flows to facilitate trade in the digital economy.[21]
There are provisions that state cross-border data flows should not be restricted between the EU and the UK by requiring the localisation of data in a party's territory for storage or processing. There had been concerns that the EU might be on a journey towards data localisation,[22] However, these provisions suggest that any such strategy does not apply at least insofar as data sharing between the EU and the UK is concerned.
Any other hints about the future direction of travel of UK data protection law?
The Agreement leaves open the possibility of providing sector-specific measures, including on cross-border transfers.[23] However, these are likely to compliment rather than cut across current standards.
The GDPR and the UK GDPR enable sector-specific approaches, for example under codes of conduct drawn up by associations and other bodies representing categories of controllers or processors.[24]
What about data flows from the UK to the EEA?
The UK has deemed the EEA to be adequate on a transitional basis.[25] That means that a free flow of data from the UK to the EEA can continue for a few years (likely to last until December 2024) by which time the UK will have conducted formal adequacy assessments of the EEA.
What about data flows from the UK to third countries?
Data flows from the UK to third countries can take place in the same way as before 1 January 2021. The UK GDPR and the Data Protection Act 2018 preserve the EU's transfers framework in UK domestic law.
The UK has kept the EU's existing adequacy decisions as a method of transferring data under the UK GDPR.[26] It has also kept the EU' standard contractual clauses as a transfer mechanism.[27]
Conclusion
The Agreement provides a stable basis for future EU-UK data flows, with scope for fast resolution of any issues regarding data transfers at a political level.
The emphasis on high data protection standards for both sides dispels concerns about the UK lowering its standard of protection. The emphasis on the importance of cross-border transfers and the avoidance of data localisation is decidedly internationalist.
The Agreement also provides for the UK and the EU to supplement its provisions with further agreements, opening the door for wide-ranging collaboration.
[1] The text of the Trade and Cooperation Agreement states that the free flow of data can also continue from Iceland, Lichtenstein and Norway to the UK, (see Article FINPROV.10A (2) at p 415 of the Agreement).
[2] See McCann, D, Patel, O and Ruiz, J (2020) The cost of data inadequacy. Retrieved from ucl_nef_data-inadequacy.pdf. This figure represents money that companies would have been able to allocate to other areas such as investing in new equipment, employees or processes but which would have had to be diverted to paying for compliance or additional costs for goods and services because of disruption to data flows from the EU to the UK.
[3] Directive (EU) 2016/680 on the protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data.
[4] The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
[5] These assessments were initially due to be completed in May 2020 but were postponed pending the Schrems case. See 1_en_act_part1_v6_1.pdf (europa.eu).
[6] See the EDPB's draft recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data adopted on 10 November 2020.
[7] See Maximillian Schrems v Data Protection Commissioner C-362/14 EU:C:2015:650, also known as Schrems I.
[8] See Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, C-311/18 EU:C:2020:559 also known as Schrems II.
[9] The Partnership Council will supervise the operation of the agreement at a political level, providing strategic direction. The Partnership Council will be supported by a network of other committees. These will provide necessary opportunities for technical discussion to ensure the smooth implementation of the agreement and its stable operation. See Title III of the Trade and Cooperation Agreement.
[11] see Article LAW.EUROJUST.72.
[12] See section 3 of the European Union (Withdrawal) Act 2018.
[13] For further discussion on retained EU law see Duhs, E and Rao, I, Retained EU law: a Practical Guide, the Law Society, (2021)
[14] See the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020.
[15] Note however that the mechanisms which allowed UK controllers and processors to benefit from cross-EU regulatory cooperation such as the one stop shop are removed - see for example the removal of the definition of main establishment (Article 4(16) of the GDPR), cross-border processing (Article 4(23) of the GDPR) and lead authority (see Article 56 of the GDPR).
[16] See the Agreement, Article FINPROV.10A(1) and (3) at p. 414 and 415. If the UK does make these sorts of changes to its data protection regime without the EU's agreement then this may result in the bridging mechanism coming to an end, and a transfer from the EU to the UK requiring a transfer mechanism under Chapter V of the GDPR.
[17] See Article FINPROV.10A(6).
[18] See Article COMPROV.10(3) at page 407.
[19] See Article COMPROV.10(1).
[20] Data localisation involves storing data in the country in which it was generated.
[21] See Article DIGIT.6 Cross-border data flows at 119.
[22] For example, the European Data Protection Supervisor ("EDPS")'s Strategy paper for complying with the Schrems II decision stated that "the EDPS strongly encourages EU institutions to ensure that any new processing operations or new contracts with any service providers does not involve transfers of personal data to the United States". Further, the burden of transferring data to third countries in the absence of an adequacy decision has increased following the Schrems II case. There have been concerns that EU companies might decide that data localisation (where this is possible) is the only way of dealing with the increased regulatory burdens and this might lead them to pursue a strategy of data localisation as a way of mitigating these extra costs.
[23] See Article DIGIT.7(2).
[24] See Article 40(2) of the GDPR and Article 40(2) of the UK GDPR.
[25] See paragraph 4 and 5(1)(a) of Schedule 21 to the Data Protection Act 2018.
[26] The decisions themselves are not kept but their effect is continued in paragraph 4 and 5 of Schedule 21 to the Data Protection Act 2018.
[27] See paragraph 7 and 8 of Schedule 21 to the Data Protection Act 2018.