EU-UK Brexit Deal grants an interim data transfer window

On Christmas Eve, the EU and UK announced that they had reached an agreement on their future relationship, which we expect to come into effect on 1 January 2021 (the “Brexit Deal”). Further details of the deal itself will be discussed by my colleagues on our Beyond Brexit blog, available here. And for the most part, the Brexit Deal does not deal with data protection specific issues.

However, for those data practitioners amongst us, you will know that the main area of concern related to Brexit has long been the issue of data transfers and whether or not the UK will be considered ‘adequate’ for GDPR purposes. In this respect, the Brexit Deal does throw a slightly unexpected lifeline of sorts.

The interim data transfer window

Article FINPROV.10A (Interim provision for transmission of personal data to the United Kingdom) provides for a four month window (which can be extended to six months) during which the UK will still not be treated as a ‘third country’ for GDPR purposes, thereby allowing the free flow of data from the EU and EEA Member States to the UK. So far so good, and many companies may be breathing a sigh of relief that the 31st December ‘cliff edge’ has been avoided. However, the interim data transfer window comes with strings attached.

The draft Brexit Deal makes it clear that the interim data transfer window will only remain open provided that the UK: (i) does not change its data protection laws from those in place on 31 December 2020 (i.e. the UK GDPR); and (ii) does not exercise any of its ‘designated powers’ without agreement from Europe. The ‘designated powers’ referred to are a relatively long shopping list of actions that the UK may not take with respect to international data transfers. For example, it may not publish its own set of ‘standard contractual clauses’ or approve a draft Code of Conduct with respect to international transfers of data. If the UK takes any such action without agreement from Europe, then the transfer window will automatically close (meaning the companies would need to put additional transfer mechanisms in place to legitimise the transfer of data from the EU to the UK). This appears to be a relatively significant restraint on the UK’s autonomy over its own laws in the pending post-Brexit world, although presumably a concession that the UK was willing to make given that it had always intended to effectively transpose the GDPR into UK domestic law.

Implications for adequacy

It is difficult at this stage to understand what the implications of the Brexit Deal could be for the ongoing adequacy assessment being undertaken by the European Commission. The establishment of an interim 4-6 month data transfer window could lead some to be cautiously optimistic that the European Commission simply needs a bit more time to dot its ‘i’s and cross its ‘t’s with respect to adequacy. However, the relatively long shopping list of actions that the UK is prevented from taking in the field of data protection in order to keep the data transfer window open for that 4-6 month period hints at a nervousness within the European Commission that the UK may move away from the principles of the GDPR in the future, something that could prevent an adequacy decision being granted in its favour. As a result, many companies may be left with the distinct impression that the deal is simply delaying the inevitable cliff edge when it comes to data transfers. The implications of not obtaining an adequacy decision are particularly concerning when considering the possible implications of the CJEU judgment in the Schrems II case earlier this year (for further details, please see our Schrems blog posts available here). So whilst the interim data transfer window provided by the Brexit Deal will likely be welcomed, there nonetheless remains an anxious wait to understand the European Commission’s position on the long-term adequacy of the UK in the eyes of data protection law.

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Airbnb, TripAdvisor, Booking.com and Expedia strike data sharing deal with the EU

5 March 2020 saw the European Commission (EC) announce an unprecedented agreement with short-stay accommodation titans Airbnb, Booking.com, Expedia and TripAdvisor to share and publish data (on the number of nights booked and the number of guests staying) with the EC via Eurostat (the EU’s statistical office) (press release here). Eurostat will then aggregate the data by municipality and publish that data on a Member State and individual region level.

This collaborative venture represents an initial step by the EC in tackling the absence of regular and reliable data in this area, and recognises the need to balance: (a) the opportunities for micro-entrepreneurs using these growing platforms; and (b) adverse societal effect on local communities of landlords using their properties for short term lets, e.g. increasing property prices.

While this agreement has been universally welcomed, it is noted that there are other categories of information that could also be useful from a policy-making perspective, such as the number of listings, hosts, beds and types of accommodation.

A number of cities including Paris, Barcelona, Berlin and Amsterdam have previously sought to place restrictions on the use of short-stay accommodation platforms, but this has not always been successful. For example, on 19 December 2019, the Court of Justice of the European Union (the EU’s most senior court) ruled that Airbnb did not have to meet particular regulatory requirements as it was correctly classified as an intermediation service rather than an estate agent (a stark contrast to their ruling on Uber with respect to the transportation services space). This new data sharing agreement does not tackle the limited regulatory restrictions that can be placed on online platforms. However, the EC hopes that this data collaboration will allow for more informed and balance policymaking.

With a 2019 survey showing that 21% of EU citizens use a website or app to arrange accommodation, there have been numerous calls for a digital regulator to better police this space. It is thought that the much anticipated Digital Services Act will make some progress on this front, but the slow development of this legislation may struggle to match the evolving issues face by online platforms. That said, this remains an interesting example of big tech companies collaborating with supranational bodies on regulation, as well as regulators seeking to become better informed on the nature and effect of new technology platforms to ensure informed decision making in this space.

This information on short-stay accommodation is anticipated to be publicly available as soon as Q3 2020.

David Coulling

David Coulling
Partner, Digital TMT and Sourcing, London
+44 20 7466 2442

Miriam Everett

Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378

Jonathan Stephenson

Jonathan Stephenson
Associate, London
+44 20 7466 2655