Following the end of the Brexit transition period, the EU-UK Trade and Co-operation Agreement (TCA) came into effect on 1 January 2021. The TCA sets out the terms on which the EU and the UK will trade following the UK’s exit from the EU and (amongst very many other things) affirms the parties’ “commitment to ensuring a high level of protection of personal data”. In this article, we summarise the implications of the TCA for data protection law and set out considerations to be borne in mind by organisations that transfer personal data from and to the EU and the UK over the coming weeks and months.
EU to UK data transfers expressly permitted under the TCA
From 25 May 2018 until 31 December 2020, UK data protection law was largely governed by the EU’s General Data Protection Regulation (EU GDPR). With effect from 1 January 2021, the UK has adopted its own UK-specific version of the GDPR (UK GDPR), which will apply in the UK independently of the EU’s GDPR.
Although day-to-day compliance standards will, as a result, not change materially there will be a significant impact on the legal mechanics of data transfers between the EU and the UK from 1 January 2021. This is because, in broad terms, the general position under the GDPR is that personal data may not be transferred to a “third country” unless an “adequacy decision” has been issued in respect of that country, or some other legal mechanism, for example standard contractual clauses, has been put in place. As a reminder, an adequacy decision is a finding that a third country or territory offers levels of protection for personal data that are “essentially equivalent” to those protections provided by EU law, including the GDPR. Following the UK’s exit from the EU, the UK is now a “third country” for EU GDPR purposes and the European Commission has not (yet) issued an adequacy decision in respect of the UK (but see below).
Until very recently, it had looked as though additional safeguards would soon be required to transfer personal data from the EU to the UK, with the UK becoming a “third country” under the EU GDPR without an adequacy decision from the European Commission. However, under the TCA, from 1 January 2021 until whichever is the earlier of: (a) the European Commission issuing an adequacy decision in relation to the UK; or (b) 1 May 2021 (Interim Period), “[the] transmission of personal data from the [European] Union to the United Kingdom shall not be considered as transfer [sic] to a third country under Union law”. If the European Commission does not issue an adequacy decision in respect of the UK by 1 May 2021, the Interim Period may be extended by a further two months (up to 1 July 2021), unless either party objects.
Crucially, however, this arrangement extending the free flow of personal data from the EU to the UK is subject to two conditions, namely that, for the duration of the Interim Period, the UK does not:
- change its data protection legislation, as it was on 31 December 2020; or
- exercise its “designated powers”, without the prior agreement of the EU.
The full list of the United Kingdom’s “designated powers” is set out at Paragraph 3 of Article FINPROV.10A of the TCA. In summary, these comprise the UK’s powers to:
- make its own “adequacy decisions” about countries or territories outside the UK, or to publish UK-specific versions of standard contractual clauses under the UK GDPR;
- approve a new draft code of conduct or certification mechanism under the UK GDPR, which could be relied on to provide appropriate safeguards for transfers of personal data outside the UK; and
- approve other “gateway” mechanisms providing a lawful basis for ex-UK transfers of personal data under the UK GDPR, including new binding corporate rules, new contractual clauses between controllers and processors, or new administrative arrangements between public authorities.
If, during the Interim Period, the United Kingdom amends its data protection legislation or exercises any of its designated powers, the Interim Period will terminate automatically.
There is, however, an exception where the UK makes amendments to its data protection laws to align with changes made to relevant EU data protection laws. For example, the European Commission has recently published a draft implementing decision relating to new standard contractual clauses for data transfers (replacing the current versions approved by the European Commission in 2001, 2004 and 2010). If the EU adopts these new clauses, this exception would allow the UK to adopt the same clauses without the approval of the EU, and without compromising the free flow of personal data from the EU to the UK under the TCA.
Pending adequacy decisions and the importance of a “plan B”
The Interim Period is designed to allow time for each of the EU and the UK to issue adequacy decisions recognising the other jurisdiction as offering equivalent protection for the transfer of personal data – essentially declaring that the EU and the UK are “safe” places to send personal data. And indeed, the EU-UK Joint Declaration, published alongside the TCA, is clear that the European Commission, for its part, intends to “launch the procedure for the adoption of adequacy decisions with respect to the UK” without delay and in a co-operative manner:
“The Parties take note of the European Commission’s intention to promptly launch the procedure for the adoption of adequacy decisions with respect to the UK under the General Data Protection Regulation and the Law Enforcement Directive, and its intention to work closely to that end with the other bodies and institutions involved in the relevant decision-making procedure”.
Nevertheless, despite these positive noises, it remains difficult to predict whether the European Commission will actually issue an adequacy decision for the UK. While some data protection practitioners are cautiously optimistic that the establishment of the Interim Period is a step in that direction, the restrictive conditions imposed on the UK under the TCA indicate a level of distrust on the part of the European Commission that could, in the event, result in a refusal to grant an adequacy decision in respect of the UK.
Accordingly, the ICO recommends that “as a sensible precaution, before and during [the Interim Period] […]businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data” come May or July this year. Alternative transfer mechanisms might include, for example, standard contractual clauses (noting the complexities introduced by the Schrems II decision last year in respect of these clauses, which we wrote about here), binding corporate rules or potentially making use of limited derogations for specific situations.
Conclusion and thoughts on next steps
Of course, at a time of particular economic and political uncertainty, making such preparations will come at a cost – in both time and resources – for businesses and other organisations that need to transfer personal data from and to the UK. While timely steps will be necessary over the next four to six months, ultimately the level of engagement with this preparation process will be a matter for each organisation to determine based on its unique position, prioritisation of resources and assessment of the risk to their reputation and indeed of enforcement action, as well as the nature of the data transfers in question and how “mission critical” they are.
Indeed, in our view, there is merit in waiting a little while to see what happens with the EDPB draft guidance on Schrems II (which we wrote about in our November article), what the ICO says about that guidance, and whether the European Commission’s new standard contractual clauses are adopted and then accepted / issued by the ICO. While we would not advise waiting forever – and for example “mapping” your organisation’s international data transfers and thinking about which of them are most important is something that can start or be reviewed now – the TCA has certainly bought some time for EU and UK organisations to think more strategically and purposefully about this, and indeed for the data protection regulators to produce some clearer and more practical guidance on this complex topic.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2021