Common sense prevails in post-Brexit data transfers
The Interim Agreement enables seamless data transfers to the UK while the EU Commission still works on the UK adequacy decisions. By Lucas Atkin of Greenwoods GRM LLP.
It’s not often we see the phrases “common sense” and “Brexit” in close proximity, but the UK and EU have reached a logical interim solution which sets the stage for seamless data privacy cooperation in the future.
In brief, the EU-UK Trade and Cooperation Agreement (the Agreement):
- provides a sensible and sustainable platform for the continued free flow of personal data between the parties;
- provides a clear route to an adequacy decision;
- includes a workaround in case of legal challenge to any adequacy decision; and
- shows that both parties understand the practical value of mutual standards and cooperation.
As you were: the immediate outlook
After years of posturing in public and warnings about loud ticking clocks, the UK and the EU have agreed a grace period of up to six months for personal data to continue to flow freely between them despite the UK’s technical status as a third country(1). In essence, the Agreement allows personal data to move between the UK and EU for business and law-enforcement purposes without implementing additional compliance safeguards until, hopefully, an adequacy decision is approved. Businesses transferring personal data between the UK and EU therefore do not need to take any further action for the moment.
Despite the Prime Minister’s claim that the UK has “taken back control” of its laws(2), the UK has ceded some degree of legal sovereignty to pay for the temporary arrangement. For the length of the arrangement, the UK cannot:
- change its domestic data protection law from the form it took as at 31 December 2020; or
- exercise any of its new designated powers under the new domestic data protection law regime without the EU’s agreement.
If the UK fails to observe these rules, the interim arrangement automatically ends. Think of it as the UK being, in effect, on probation.
For the avoidance of doubt, other flows of personal data remain unaffected. Personal data can continue to be transferred from the UK to third (i.e. non-EEA) countries as before 1 January 2021 – the UK has maintained the EU’s approach to international transfers and adequacy decisions(3).
The awkward sequel: will an adequacy decision follow?
In brief, while the Agreement does not guarantee an adequacy decision, the author would be surprised if such an outcome was not forthcoming after six months.
There remains an underlying undeniable which this Agreement seems to recognise: the UK is the only third country to have implemented (and enforced) the GDPR. The UK is a departing EU member state – to suggest that its domestic data privacy law (which is effectively a copy-and-paste job of the GDPR) does not offer essential equivalence would have the knock-on effect of setting the adequacy bar impossibly high in relation to future decisions (for example in relation to South Korea or certified US companies under the Privacy Shield’s eventual replacement). It could further prove a barrier to continued existing adequacy decisions (some of which are in the process of being reviewed).
In addition, on a practical level - given that long-established rules of free movement of goods and people through the UK have only just been abolished and the value of London as a European hotspot for professional services – there are many EU businesses transferring personal data to or through the UK. Without adequacy, the types of substantial extra costs and compliance burdens which this Agreement aims to avoid would remain a real risk. This would seem politically suicidal for the EU, especially as businesses on the Continent continue to bear the brunt of the pandemic (and express dissatisfaction with the bloc’s approach to bulk vaccination)(4).
However, while there is now a path to adequacy, this does not mean there are no obstacles. For a start, any adequacy decision which benefits the UK must still follow protocol – a proposal from the European Commission, a formal opinion from the European Data Protection Board (EDPB), approval from Member States and an adopting decision by the Commissioners. Many of these bodies and their organisational heads have been less than impressed with the UK’s conduct since the 2016 referendum. A six-month turnaround time would be the quickest in history.
Further, even if an adequacy decision is eventually granted, this does not mean it won’t be challenged and potentially declared invalid by the Court of Justice of the European Union (CJEU) along similar lines as the challenge to the Privacy Shield in Schrems II. Examples of sticking points include the UK’s insistence on sweeping surveillance powers for national security purposes (particularly in the light of the CJEU’s decision in Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others (C-623/17))(5), or the UK government’s insistence on relaxed rules around its use of personal data relating to immigration to the UK.
In theory, this issue is addressed by the Agreement’s establishment of a Partnership Council. The Council supervises the parties’ compliance with the Agreement and can make recommendations regarding transfers between them under the Agreement or any supplemental arrangement (i.e. an adequacy decision). This provision, again in theory, may allow any challenges to be dealt with before revocation of any adequacy decision (and consequent disruption), or alternately it could allow for a political decision or manoeuvres which prevent or supersede an adverse CJEU finding. This does not completely avoid problems (there would be difficult tension in case of a conflict between a CJEU decision and different Partnership Council Strategy, not least given that the UK no longer considers itself subject to CJEU jurisdiction), but it does appear that there is room for workarounds and consequent mitigation of the immediate risk of businesses bearing the brunt of a successful challenge or invalidation.(6)
A sigh of relief: the impact on business
Before the Agreement, many UK and EU businesses were concerned about the cost and time required to implement additional compliance measures to facilitate continued transfers of personal data, especially in the light of Schrems II. Recent research estimated that the cost to UK businesses without an arrangement being concluded would have been approximately £1.6 billion(7). The immediate impact is that such costs and compliance measures will not be necessary.
This may cause irritation to those UK/EU businesses which, faced with significant uncertainty and trying to be responsible in planning for the future, had incurred the expense of putting in place alternative transfer mechanisms such as amended Standard Contractual Clauses. They may justifiably feel like pawns in a game of political chess. However, on balance, this arrangement will likely be more welcome in the long run (and these measures may not end up as a waste of money if adequacy is not agreed, or suffers disruption from a legal challenge).
However, while the international transfer issue has been (at least temporarily) addressed, there are other practical points for UK and EU businesses to consider:
As pointed out by France’s Supervisory Authority, the CNIL(8), despite the Agreement, the UK is excluded from the EU GDPR’s One-Stop-Shop mechanism. In practice, this means that:
- The UK GDPR has extra-territorial scope, so controllers and processors who are not “established” in the UK but use personal data there to offer goods or service, or monitor individuals’ behaviour, in the UK will need to designate a formal representative(9).
- The opposite applies: UK companies trading with the EU may be subject to the EU GDPR and need
to designate a formal representative there(10).
- There is a genuine risk of dual regulatory burden: for example, EU companies which have a branch or offering in the UK may be deemed “established” in the UK(11) and may be subject to both the EU and UK GDPRs, and therefore the jurisdiction of multiple regulators. This can cause practical issues, especially where some regulators adopt a more conservative approach to interpretation than others.
- It is likely that many contracts, policies and procedures will need to be tweaked to reflect the technical difference.
It looks like both parties recognise the importance of mutual standards and cooperation. The Agreement specifically states that both parties “affirm their commitment to ensuring a high level of personal data protection” and confirm their willingness “to work together to promote high international standards”.(12)
However overall, the author does not recommend that businesses plan for any drastic changes or interruption at this point.
Overall, the Agreement is a sensible and welcome step in the direction of continued cooperation and barrier-free transmission of personal data between the EU and UK. Adequacy continues to be the likely outcome given the undesirable outcomes for businesses otherwise, and we appear to be closer than we ever have been. Suggestions to the contrary seem to have been – much to the chagrin of businesses – political posturing.
|Lucas Atkin is Head of Data Privacy at Greenwoods GRM LLP.