On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.
However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.
The interim data transfer window
Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.
The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.
Implications for adequacy
It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.
As we all continue to try to grapple with the implications of a no-deal Brexit, the last week or two has seen the publication of a few things of interest from a data protection perspective:
The EDPB’s view of data transfers in a no-deal Brexit scenario
On 12 February 2019, the European Data Protection Board (the “EDPB“) published a general information note on data transfers under the GDPR in the event of a no-deal Brexit (available here). In summary, the information note provides that organisations must comply with the GDPR when transferring personal data from the EU to the UK, which will become a “third country” for GDPR purposes (from 00.00 am CET on 30 March 2019). No new or additional safeguards are contemplated by the EDPB which effectively means that organisations must choose between:
- Standard contractual clauses (which the EDPB acknowledges are “ready to use”);
- Binding corporate rules;
- Codes of conduct or certification mechanisms (although none are yet approved/available under the GDPR); or
- Derogations such as individual explicit consent (although the EDPB emphasises that the derogations must be interpreted restrictively and mainly relate to processing activities that are occasional and non-repetitive).
For further information regarding the potential impact of a no-deal Brexit on data transfers, including an analysis of worked examples, please see our previous blog post available here.
The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK.
Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK.
On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.
Transferring data from the UK to the EU
Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.
The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future.