On 1st January 2021 the transition period in the Brexit withdrawal agreement ended and trade relations between the UK and EU are now governed in part by the EU-UK Trade and Cooperation Agreement (the “Trade Agreement”). This blog post focuses on the changes to UK data protection law and mechanisms for effectuating personal data transfers between the UK and third countries and vice versa. Particular attention is paid to provisions in the Trade Agreement which provide transitional relief in respect EEA-UK transfers. It confirms that whilst the transitional measures are welcome, the longer-term arrangements remain uncertain because an adequacy assessment is underway, and it is by no means certain that the Commission will find the UK adequate.
The GDPR and UK GDPR
The General Data Protection Regulation (GDPR), as an EU Regulation, no longer directly applies in the UK. However, to ‘maintain the data protection standards in the GDPR in UK law,’ the GDPR has been saved into UK domestic law. It falls within a new category of law created by the European Union (Withdrawal) Act 2018 known as « retained EU law,” and has been renamed the UK GDPR so as to differentiate it from the GDPR.. The UK GDPR must be read alongside the Data Protection Act 2018, which gives effect to national derogations originally permitted by the GDPR.
For the most part, the UK GDPR is the same as GDPR albeit with references to ‘Union or Member State law’ replaced with references to ‘domestic law,’ and references to decisions made by the EU Commission replaced with references to decisions made by the UK Government. The fundamental principles, obligations on data controllers and processors, and rights for individuals remain the same as those in the GDPR, (save for the one stop shop principle, discussed below), and the ICO remains the UK’s national supervisory authority. The continued alignment of UK law with the GDPR makes compliance planning and preparation easier for businesses that process personal data.
Having said that, the effect of having two different laws is to impose additional compliance burdens on some organisations. Not only do UK based businesses that process personal data of individuals in the UK need to comply with the UK GDPR and Data Protection Act 2018, so too do EEA based organisations with or without an establishment in the UK, that offer goods or services, or which monitor the activities of individuals in the UK, as it has extra-territorial effect.
In addition, UK data controllers without an establishment in EU that offer goods or services, or which monitor the activities of individuals in EU countries must appoint a representative in an EU country (unless their processing of personal data is occasional and does not include, on a large scale, processing of special categories of data), a burdensome requirement for small and medium-sized entities that lack appropriate financial and legal resources. The role of the representative must be identified in Privacy Notices and can be sent communications from EU individuals and EU data protection supervisory authorities. The representative needs to maintain records of processing activities and co-operate with a supervisory authority if it raises any issues. Similar obligations to appoint a UK representative apply in respect of EU data controllers without an establishment in the UK, increasing the compliance burden.
Trade Agreement – additional transitional arrangements
Significantly, the Trade Agreement does not deal with the key question of whether the UK’s data protection regime is “adequate” (i.e., provides an essentially equivalent level of protection to the EU) so as to permit free movement of data from EEA countries to the UK. It is silent on this matter because an adequacy assessment is a separate process to a trade deal and although the Commission commenced its assessment in 2020 the process is not yet complete.
Ordinarily this would mean that additional safeguards would be required to transfer personal data from EEA countries to the UK. However, the Trade Agreement provides that the UK will not be treated as a third country for GDPR purposes for an additional transition period that began on 1st January 2021 and ends either (1) on the date on which an adequacy decision in relation to the UK is adopted by the European Commission under Article 45(3) of the GDPR, or (2) a period of four months, which can be extended by two months by agreement. As cross-border personal data flows are essential for several sectors of the UK economy such as ecommerce, financial services, telecoms, travel, and tourism, the continued free flow of data between EEA countries and the UK during the additional transition period is welcome.
However, the arrangement is conditional on the UK not amending its data protection legislation or exercising certain “designated powers” relating to international transfers without the EU’s agreement during the additional transition period. It contains an exception for UK amendments to align with rules applicable in the EU. The European Commission has published a draft implementing decision relating to new standard contractual clauses for data transfers. If the EU adopts these new clauses, the exception will allow the UK to adopt the same updated clauses, should it wish to do so. But, if the UK changes its data protection laws (other than to align with updates to EU data protection law), or exercises any the designated powers without consent, the additional transition period will automatically end.
Whilst the inclusion of an additional transition period in the Trade Agreement provides a degree of certainty and stability for businesses, many would no doubt prefer greater certainty regarding the likely outcome of the adequacy assessment because alternative mechanisms are time consuming to implement – so many will worry that if the UK is not found to provide an adequate level of protection, they will find themselves on a data protection cliff edge in a few months.
Likelihood of adequacy – Contingency Plans
It remains to be seen whether the Commission will find the UK ‘adequate,’ particularly in light of the CJEU decision in Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others (C-623/17), which cast doubt on whether the Investigatory Powers Act 2016 contains substantive limits and sufficient safeguards regarding powers to retain and access to bulk data for national security purposes to be compatible with EU law.
Some commentators have speculated that the UK will secure a finding of adequacy, whilst others have forcefully argued that it should not. In my view it is possible that the UK will be found adequate because adequacy assessments involve not only legal considerations but political and economic considerations too and this can prompt the Commission to make a finding of adequacy despite legal deficiencies. Moreover, I concur with others that the UK may obtain but struggle to retain an adequacy decision, but that discussion is for another day!
For businesses, the key issue is what steps, if any, they need to plan for and implement at the end of the additional transition period. As the outcome of the adequacy assessment is not a foregone conclusion, the UK Information Commissioner’s Office (the “ICO”), welcomed the additional transitional period in the Trade Agreement but also advised ‘as a sensible precaution’ that UK businesses work with EU and EEA organisations who transfer personal data to them, to ‘put in place’ alternative transfer mechanisms such as such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules or be prepared to rely on derogations to facilitate EEA-UK personal data transfers.
Whilst BCRs and SCCs would be the most suitable alternative mechanisms for many organisations it must be noted that they are burdensome, complex and costly to implement as EDPB Guidance requires companies to conduct « mini adequacy assessments » of countries to which data is transferred, using the same criteria as the European Commission when assessing adequacy, and are potentially open to legal challenge following Schrems II. Consequently, small and medium sized businesses will not be able to afford take such steps, whilst larger businesses that can afford them would no doubt resent the expenditure if they later proved unnecessary. In short, the advice is prudent but not likely to be followed by many.
Transfers from the UK to third countries
As for UK to third country transfers, the UK has transitionally recognised all EEA countries, EU institutions and bodies as providing an adequate level of protection. Gibraltar is recognised as offering an adequate level of protection, no doubt because it is a British overseas territory. It has also transitionally recognised the 12 countries that have received EU adequacy decisions, namely: Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan (private-sector organisations), New Zealand, Switzerland and Uruguay as providing an adequate level of protection. This will ensure transfers from the UK to these 42 countries can continue in the short-term without additional regulatory checks or safeguards, whereas appropriate safeguards will be needed in respect of transfers to all other third countries.
Going forward, the UK Secretary of State for Digital, Culture, Media and Sport will maintain a list of countries, territories and organisations it has deemed adequate, and will have the power (via negative resolution with no input from the ICO) to revoke existing adequacy decisions and to conduct its own adequacy assessments.
The position regarding transfers of personal data from the UK to the US is, however, more complicated and uncertain following the invalidation by the ECJ in Schrems II of the adequacy decision known as Privacy Shield pertaining to EU-US personal data transfers.
Prior to the Schrems II decision the UK government intended to utilise a modified Privacy Shield arrangement, i.e., one specific to UK-US transfers to facilitate transfers. Whilst the UK government now has the autonomy implement such a transfer mechanism it is unlikely to exercise that power immediately because it would likely trigger power the end of the additional transitional arrangements. Moreover, the Commission will review onward transfer arrangements as part of its adequacy assessment; it would no doubt have concerns about onward transfers of EU citizens’ data from the UK to the US via a mechanism similar to one that has been declared invalid by the CJEU. Accordingly, businesses are advised to continue to use Standard Contractual Clauses bolstered by appropriate supplementary contractual, organizational, and technical measures, as advised by the EDPB, to facilitate transfers to the US.
Main establishments and the ‘One Stop Shop’ principle
Under the GDPR, EEA-based organisations which carry out processing in more than one EEA country only need to deal with a single regulatory authority as their lead supervisory authority. This is known as the ‘One Stop Shop’ principle. It means that, for example, that a single fine would be imposed by one EEA authority as a result of an infringement that occurred a number of EEA countries.
However, organisations with a main establishment in the UK and no establishments in the EEA cannot rely upon the GDPR ‘One Stop Shop’ principle. Yet, as the GDPR has extra-territorial effect in certain circumstances, they may have to deal with the supervisory authorities in all EEA states where data subjects are located, and whose personal data they process. This requirement is prompting organisations with a main establishment in the UK and establishments in the EEAto consider appointing one of their EEA establishments to take advantage of the GDPR ‘One Stop Shop’ and avoid being at risk of regulatory action from multiple EEA regulators. Even so, where cross-border processing involves the EEA and the UK, they will still be subject to the ICO’s jurisdiction, as well as the lead EEA regulator. And, as the compliance burden for some data controllers has now increased because a data breach that has a multi-country dimension could require notification of both the ICO and at least one EU supervisory authority of the breach, and each supervisory authority could investigate and impose sanctions e.g., fines, some US-owned companies such as Facebook and Google have decided to transfer all their UK users into user agreements with the corporate headquarters in California, moving them out of out of the control of European Union data protection regulators (rather than face potential legal action in both the EU and UK).
The UK and EU have entered a new phase of ‘looser’ trade relations but remain inextricably linked for data protection purposes, and not just because the issue of a finding of adequacy remains unresolved and uncertain. Rather, it is because the extra-territorial provisions in both the UK GDPR and GDPR, creates the conditions for synergy and dynamic alignment and synergy between the frameworks, at least for so long as each want to facilitate ‘free flows’ of data to the other.
Dr Karen Mc Cullagh, Lecturer in Law, University of East Anglia, firstname.lastname@example.org