The UK and the European Union have finally struck a trade deal, but what does this mean for data protection?
The deal was finally agreed on 24 December 2020, nearly four and a half years after the UK voted to leave the EU. The EU-UK Trade & Co-operation Agreement (TCA) is a long document setting out the terms agreed between the two parties. It came into effect on 31 December 2020 at 11pm after being approved by the UK Parliament and ambassadors of EU member states.
What does the TCA say about data protection?
The TCA specifically states that the EU and the UK are both committed to upholding high standards of data protection. What this means in practice remains to be seen. However, the General Data Protection Regulation (GDPR) has been incorporated into UK law and we expect UK organisations to have to comply with this for the foreseeable future.
Focusing in on Brexit, the main data protection concern for businesses surrounded data transfers after the end of the initial Brexit transition period on 31 December 2020. Before the Brexit deal was agreed and in the absence of any EU-UK adequacy agreement, from 1 January 2021, any data transfers into the UK from an EU-based jurisdiction would have been deemed a transfer to a third country by the EU. Any such transfers would have needed to use appropriate data transfer safeguards as stated within Chapter V of the General Data Protection Regulation.
The good news for UK and EU-based organisations with data transfer exposure is that the TCA provides for an interim period potentially lasting six months. During this time any data transfers from the EU to the UK can continue to be treated as they were before the end of the transition period.
The TCA states that the interim period is initially four months to 1 May 2021. However, in the absence of any adequacy agreement being issued by the EU, an automatic extension of an additional two months to 1 July 2021 is applied (unless the EU or the UK objects). The TCA includes certain caveats to the interim period being allowed to stand, such as the UK not changing its own data protection legislation or exercising certain designated powers during the interim period specifically in relation to data transfers.
As part of the TCA, a TCA Partnership Council has been set up (which consists of representation on both sides) and any changes that the UK wish to make within the interim period need to be approved by this Council.
If any of these clauses are breached by the UK, the interim period will automatically cease and data transfers will need to be safeguarded against in the absence of any EU-UK adequacy decision being granted.
The TCA makes no reference to the EU-UK adequacy decision. The process for the UK to obtain the adequacy decision from the European Commission began long before the deal was agreed and is deemed to be separate from any TCA negotiations. The adequacy decision process is ongoing and we expect to hear something more in the coming months. However, the TCA’s inclusion of the interim period of up to six months may suggest that the EC will make a decision before the end of this period.
The adequacy decision is by no means guaranteed for the UK. Remember the Schrems II decision in 2020 and the invalidation of the EU-US Privacy Shield? The main contributing factor was that the EU had no comfort that US surveillance data-processing activities being employed upon the transfer of EU-based personal data to the US were in line with EU law. The same issue applies with the UK and how the EU views the UK’s national security processing activities. The EU may have an issue with this regardless of the TCA being agreed and approved.
If the UK is granted adequacy by the EC, this will enable the free flow of personal data between the EU and UK without having to safeguard against it. It is important to clarify that this applies only to data transfers from the EU into the UK. For data transfers going the other way i.e. UK to EU, the UK has already stated that it views any EU jurisdiction to be adequate, although this is to be kept under review.
Other TCA data protection considerations
The TCA states that the EU and the UK are committed to ensuring cross-border data flows in order to facilitate trade in the digital economy, providing a list of potential restrictions for this to be effective. These include the need for data localisation within the EU or UK or the need to use computing facilities approved in one territory of the EU or UK. This part of the TCA will be reviewed after three years.
The TCA includes some provisions for the sharing of personal data in respect of law enforcement, e.g. DNA data, Passenger Name Records (PNR), fingerprint and vehicle registration data. However, in order to maintain the high standards of data protection both the EU and the UK have committed to, either party has the right to suspend this part of the TCA if there is deemed to have been a serious and systematic deficiency within the EU or the UK’s data protection requirements i.e. the fundamental right to personal data protection.
The TCA sets out some rules around how organisations market themselves to individuals to protect them against unsolicited direct marketing using a telecommunication service (email, SMS, MMS). Individuals must not be directly marketed to unless they have given their consent to receiving such communications in accordance with EU and UK laws.
The TCA recognises that where an individual has provided their contact details previously in the supply of goods or services, the EU or UK will be allowed to send direct marketing communications to that individual for similar goods or services i.e. the soft opt-in approach.
All direct marketing communications should be clearly identifiable, disclose who they are for and provide the individual with the option to cease such communications free of charge and at any moment. They should also provide individuals with access to redress against suppliers of direct marketing communications that do not comply with these measures.
Agreeing the TCA is one milestone. What matters now is the adherence of both the EU and the UK to its content, including all the details around data protection. The introduction of the TCA Partnership Council will ensure that there is a fair forum for requested dialogue and change where required. UK and EU-based organisations are advised to keep an eye on the TCA Partnership Council’s active participation in the coming weeks and months to ensure that any changes are taken note of and can be applied to their organisation as necessary.
The introduction of an interim period in respect of data transfers benefits UK and EU-based organisations. It avoids the immediate issue a significant number of entities have around data transfers where no safeguards currently exist. It gives organisations additional time to think about their approach and start preparing as necessary for the scenario that the UK does not receive an adequacy decision. Organisations have also gained more time to identify where exactly they are exposed to data transfer risk - an issue requiring attention regardless of the Brexit deal or the adequacy agreement being agreed or not.
Finally, it is important to highlight that, for a UK-based organisation, the EU GDPR is still fully effective from 1 January 2021, as it was before the TCA was agreed. For any data processing involving EU individuals after 31 December 2020, UK companies should continue to apply the EU GDPR. This is a pre-condition for the interim period for data transfers described above and the UK version of the GDPR under any adequacy decision is expected to stay aligned with the EU GDPR.
Please get in touch if you would like to find out more on this subject or to have a more detailed discussion about how your organisation could be affected.
Explore Brexit Hub