Till Data Do Us Part: A Review of UK and EU Data Protection Arrangements after Brexit

Anyone who has run out of reading material after the holiday period should turn to the Trade and Cooperation Agreement between the UK government and the European Commission (the Agreement). Coming in at over 1,200 pages, the Agreement has now been published in full and unanimously authorised by all 27 EU Member States. The terms of the Agreement are now in effect as of 1 January 2021, and, upon receiving approval from the European Parliament, will be formally adopted by the European Council by 28 February 2021.

Embedded within the Digital Trade section of the Agreement, the data protection topics are addressed briefly, but with far-reaching consequences, particularly with respect to cross-border data transfers.

The Agreement reflects a duality in play between the UK and the EU: certainly, there are intertwined links between the two parties with respect to their high standards for privacy and data protection, but there is also an express recognition of regulatory independence. It will be interesting to observe how this dichotomy plays out in a post-Brexit age. For now, there is a six month reprieve for businesses concerned about transferring personal information from the EEA to the UK, and the EU and UK have committed to keeping each other informed of their data protection measures. There will also be a mutual and ongoing commitment by both the EU and the UK with respect to ePrivacy. However, neither party is prevented from independently adopting or maintaining data protection measures in the long term—including with respect to cross-border data transfers.

We set out below some key takeaways of the Brexit deal for data protection professionals in the short term, and what to watch out for in the long term.

Data transfers from the EEA to the UK

One of the most hotly anticipated repercussions of Brexit centers on the flows of personal information from the EEA to the UK.

In the absence of an adequacy decision from the European Commission, any transfer of personal information from EEA to UK organisations will constitute a transfer of personal information to a “third country” and will therefore require appropriate safeguards under Article 46 GDPR (such as Standard Contractual Clauses, Binding Corporate Rules, etc.).

Under the Agreement, there will be an interim period during which the UK will not (yet) be considered a third country for data transfer purposes. The interim period lasts until the earlier of (i) the date on which the EC adopts an adequacy decision in relation to the UK, and (ii) (effectively) 30 April 2021—and that date will be extended by two further months unless either the UK or the EC object to this.

The interim period will apply, provided that the following criteria are met:

1. the UK retains its current data protection and ePrivacy rules during that period; and
2. the UK only exercises certain powers under the UK data protection rules upon agreement with a newly formed UK/EU Partnership Committee.

The UK has long intended to implement a UK version of the GDPR (which is now in effect as of 1 January 2021, and known as the UK GDPR) and already has ePrivacy laws that are consistent with the EU ePrivacy Directive. So, condition (i) above simply aims to maintain the status quo during the adequacy assessment.

However, condition (ii) restricts the UK from exercising fundamental powers during the interim period, including:

• issuing any new Code of Conduct or approving any new certification mechanism relating to data transfers;
• approving new UK Binding Corporate Rules; or
• approving new form Standard Contractual Clauses.

The timetable for the EC making an adequacy decision was always ambitious, and even with an additional six months is perhaps unfeasible. Previously, the EC has taken several years to come to a conclusion on adequacy for countries like Israel and Japan. Even though the UK has the UK GDPR in place, it has other potential roadblocks that could undermine the adequacy finding—the most obvious one being the UK’s approach to processing of bulk surveillance information, which the Court of Justice of the European Union has already criticised. Organisations could be in for a long wait until the EC makes its decision and may therefore want to start putting in place alternative transfer mechanisms now, rather than anticipate a positive adequacy decision being reached before the end of the interim period. Of course, there is also the possibility that the EC could ultimately decide against a positive adequacy decision (whether within or following the interim period).

Data transfers from the UK to the EEA

The UK has, on a transitional basis, already deemed the EU and EEA states to be adequate for data flows from the UK. This means that, pending further review, alternative transfer mechanisms (such as the Standard Contractual Clauses) are not required for data flows from the UK to the EEA.

Data transfers to and from existing EU-adequate countries to the UK

The following countries have noted that they will allow uninterrupted data transfers to the UK (and vice‑versa, from the UK): Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, New Zealand, Switzerland, and Uruguay. Andorra is the only non-EEA country with an adequacy decision that has not yet finalised its transfer arrangements with the UK.

Data transfers from the UK to non-adequate countries based on Binding Corporate Rules

Although the UK’s requirements for Binding Corporate Rules (BCRs) are aligned with the EU (at least for now), organisations relying on BCRs in respect of transfers out of the UK to non-adequate countries will likely need to take additional steps in order to have them recognised by the ICO. This will depend on whether the BCRs have been approved yet by the ICO and, if so, when they were approved. We discuss this in more detail in this alert.

Appointing a DPO in the UK

The UK GDPR contains the same DPO requirements as the GDPR. This means that if organisations already have an EU DPO, they can appoint the same DPO to cover UK requirements, provided the DPO is easily accessible from both the UK and the EEA. Any organisations appointing a new DPO in the UK (regardless of where the DPO is based) will need to notify the UK Information Commissioner’s Office (the ICO) about the appointment.

One-Stop-Shop

The ICO will no longer form part of the GDPR One-Stop-Shop mechanism. Organisations will therefore no longer be able to use the ICO as their lead data protection authority (DPA) to handle cross-border processing and related complaints. This will also have knock-on effects for organisations relying on Binding Corporate Rules who had the UK as their lead DPA; in such a case, organisations will need to (if they have not already) pick a new EU DPA to act as their lead.

The EDPB notes in its statement regarding the end of the Brexit transition period (the EDPB Statement) that it has been liaising with the ICO for the past months to enable a smooth transition and to ensure that EEA authorities follow an efficient approach in handling existing complaints and cross-border cases involving the ICO. It remains to be seen how this shift will manifest itself in practice.

As also set out in the EDPB Statement, organisations whose ‘main establishment’ is currently in the UK should consider where they now have a new main establishment in the EEA—the location of that main establishment will determine which DPA should be the lead for any cross-border cases under the GDPR One-Stop-Shop mechanism.

Appointing EU and UK Representatives

Organisations not established in the EEA but whose processing activities are subject to the GDPR by virtue of offering goods or services to individuals in the EEA and/or monitoring the behaviour of individuals in the EEA) must designate an EU representative. According to the EDPB Statement, the representative may be addressed by DPAs and individuals on all issues related to processing activities in order to ensure compliance with the GDPR. This will be relevant to:

• organisations that are based outside the EEA and the UK but whose current European representative is in the UK; and
• UK organisations that remain subject to the GDPR but have no branch, office, or other establishment in the EEA (e.g., because they are based solely in the UK).

Note that, under the UK GDPR, organisations outside of the UK are also required to appoint a UK representative if they have no UK offices, branches, or establishments, and either (i) offer goods or services to individuals in the UK or (ii) monitor the behaviour of individuals in the UK.

What Next?

Coming out of the Brexit transition period, the most pressing issue for organisations will be the outcome of the EC’s adequacy assessment. While a positive decision will surely make things a lot easier, neither the UK nor the EU has yet tipped its hand as to which way the assessment will likely go. Based on what we’ve seen so far from both sides, there is no guarantee that the interim period will turn into a long-term adequacy decision.

Looking more into the long term, it will be intriguing to see how the ICO develops its strategies and, concurrently, how the UK government tackles data protection legislation—particularly in comparison to their EU counterparts. Both the UK and EU appear to want to balance ongoing dialogue and cooperation with regulatory independence over data protection matters; this has been enshrined in the Agreement. Furthermore, the ICO’s Information Rights Strategic Plan, which has been in place since 2017, indicates an intention, post-Brexit, to maintain a close relationship with EU partners and institutions as well as data protection regimes and communities outside the EU. Given that this Plan is due to expire at the end of this year, there may well be a policy shift in favour of the ICO working more with non-EU regimes. As the situation evolves, we will keep you updated of any key developments.