A lifeline – data protection after Brexit30 December 2020
I am sure it is not necessary to set out the basic law relating to personal data protection – the GDPR has been such big news for some years that there are probably few people now who are not aware of it. One problem with regulatory law, especially where it is so complex, is that non-experts have a tendency to over-react and play safe leading to uber-compliance with what they think the law demands, but which is not strictly necessary.
Recently, there were reports that the EU might, after Brexit, hold UK personal data “hostage” as any UK personal data processed in the EU would be subject to EU laws and, absent an adequacy decision from the EU in favour of the UK, that data could not be lawfully transferred back to the UK. The difficulties thrown up by Schrems II rather added to the woes if Standard Contractual Clauses were no longer effective (it seems they might be – at least in some situations).
What does the Draft Trade Agreement say on the matter?
As has been observed, the draft Trade Agreement is immensely long at over 1,200 pages including its annexes and protocols and you will have to wait till page 414 before finding what you want to find on personal data transfers. But there it is – Article FINPROV.10A. First, you have to understand what is meant by the “specified period”: this is basically a longstop period of six months starting with the date the Trade Agreement comes into force and ending (if earlier) when the EU has given an adequacy notice. The draft agreement has provisional effect as from 1 January 2021 so that there should be no interruption to business. The six months is a longstop – technically it is four months extended to six months if neither side objects.
For the “specified period” therefore, personal data transfers from the EU to the UK will not be regarded as transfers to a third country and so not requiring any special measures (other than those normally undertaken as part of GDPR compliance). The UK has already indicated that transfers from the UK to the EU will be regarded as adequate.
There are some strings attached: the concession in the Trade Agreement is predicated on the fact that UK data protection law continues as it is and that there are no changes made to it during the “specified period” without the EU’s agreement. If the UK acts unilaterally in changing its data protection laws during the “specified period”, then the concession comes to an end and the UK will be a third country meaning that personal data transfers from the EU will depend on using existing legal mechanisms to permit transfer (if available).
For those really interested, the draft agreement also deals with a variety of other issues. Direct marketing is mentioned in Article DIGIT.14 (page 122) requiring both the UK and the EU to ensure that users are “effectively protected against unsolicited direct marketing communications”. Such direct marketing communications require consent of the individual recipient, though there is a saving for sending marketing communications to individuals where the communication is about similar goods or services. Again, some conditions are specified i.e. the communication must disclose what it is, who it sending it and the recipient must have the chance to opt out of future communications.
What is perhaps surprising is the prominence given to data protection issues. Title III of Part Two deals with cross-border data flows and establishes the basic principle that both the UK and the EU are committed to ensuring that cross-border data flows continue so as to facilitate trade in a digital economy. Importantly, neither party is allowed to insist on data localisation (Article DIGIT.6). Moreover, Article DIGIT.7 requires that both parties will continue to protect personal data and privacy, while envisaging that either party can adopt new measures dealing with the issue provided that any measures restricting data transfer will not discriminate against the other party but will be of general application. However, Article COMPROV.10 (page 407) requires the parties to continue to cooperate on matters of data protection and to maintain the highest possible levels of protection. The big carve-out is found when you go back to page 176 (Article GRP.1) which permits both parties to make their own regulations in a wide variety of areas, including data protection and cybersecurity (paragraph 3(h)).
There are also provisions dealing with a miscellany of other matters e.g. Article DIGIT.16 provides for cooperation moving forward on digital trade and Annex LAW-1 provides for data protection issues in the context of DNA, fingerprints and vehicle registration data. Part Three deals with law enforcement and judicial cooperation in criminal matters, again picking up on DNA, fingerprints and vehicle registration data and at Title III it goes on to deal with the transfer and processing of passenger name record data.
Just as important are the words on mutual communication and cooperation going forward in the areas of data protection and cyber security: what this will mean in practice remains to be seen.
On 19 February 2021, the EU Commission published a draft adequacy decision: it is now widely anticipated that this will ease the flow of data between the UK and the EU when it is formalised, though the conditions for this need to be examined in detail when the final text is published. What this means for the UK’s flexibility in changing its data protection laws remains to be seen.
So the pressure is off – depending on the Trade Agreement being approved by both parties. Assuming there are no hiccups, we now have a further period of six months to allow business to continue by allowing personal data transfers from the EU to the UK. The next big event will be a finding of adequacy by the EU to ensure that business can contunue beyond the “specified period”. This is not now thought to be a major obstacle. The next big problem will be when the UK changes its data protection laws (as has been promised by the Government) when the EU could withdraw the finding of adequacy. But let us leave that problem for another day.
Richard Stephens, 30 December 2020
This note is for general information only. Always take professional advice first before proceeding with acting in a specific situation.