As we all know, when the UK left the European Union on 31 December 2019 there was a transitional period until 31 December 2020 for a trade deal to be agreed. That deal was agreed well past the 11th hour, on Christmas Eve 2020, as if the UK’s departure came as a surprise a mere four and a half years after the referendum result.
So far as we know, the three wise men were not present at the signing. This parting Christmas gift may turn out to be more of a lump of coal in the stocking for UK businesses’ data protection compliance programmes. The question is, has Brexit, now that it has been finalised, changed data protection law?
The short answer is: it’s only changed two things, and that might even reduce to one thing. The one thing that’s definitely changed will affect any UK entity which offers goods or services to individuals anywhere in the European Economic Area (EEA) or which monitors the behaviour of such individuals. More on that later. The thing that may have changed is the ability to transfer personal data from the EEA to the UK, but we won’t know for sure for another few months…
What does this mean for organisations in practice?
In this, the first of two articles on the impact of Brexit on data protection, we’ll look at the potential problems around transferring personal data from the EEA to the UK.
Before we start, it’s worth noting that data protection law in the UK remains broadly the same as it has been since May 2018, when the European General Data Protection Regulation (GDPR) came into force throughout the EU, including the UK. The UK’s European Union (Withdrawal) Act 2018, better known as just the Withdrawal Act, transposed the GDPR into domestic UK law once the withdrawal became effective. So, within the UK, we still essentially have the same law as before.
There are, however, a couple of wrinkles when it comes to cross-border data issues between the UK and the EEA (that is the EU plus Norway, Iceland and Liechtenstein, which operate as a club for data protection purposes). One of the principles of GDPR is that personal data cannot be transferred out of the EEA unless the destination meets one of a number of conditions. So now that the UK lies outside the EU, any transfer of personal data from the EU into the UK must meet one of those conditions.
One of those requirements is that the destination country is recognised by the European Commission as having “adequate” data protection law in place. This can apply as a blanket to virtually all data transfers out of the EEA, a much better solution than most of the other conditions, which would require considerable effort at the level of the individual organisations transferring the data. This recognition requires a formal “adequacy decision” by the European Commission, a process which usually takes years.
Of course, the UK has a head-start in terms of achieving an adequacy decision, because it has adopted the very same law that the EU has in place. But, as part of the exercise, the EU will want to check, for example, that enforcement mechanisms are up to its standards. There will also, no doubt, be significant political pressure for an adequacy decision to be granted, given the billions of items of personal data flowing to and fro between the two blocs.
Which brings us back to Christmas Eve. As part of the trade deal, the UK and the EU agreed a further transitional period (which they glamorously named the Bridge, probably so that people might not think it was yet another transitional period), during which the EU would evaluate and hopefully reach an adequacy decision. That period initially expires on 30 April, although it can (and therefore, on the basis of past experience, probably will) be extended to 30 June.
The consequence of this is that data protection represents a microcosm of the overall position that UK businesses were in throughout the period from the referendum result in 2016 until 24 December 2020 – everybody expects a deal to be done, but nobody can be certain, and therefore, in theory, contingencies have to be put in place in case a deal isn’t done (or, in this case, and adequacy decision isn’t reached).
If an adequacy decision is not made in the UK’s favour, then any entity transferring personal data from the EEA into the UK will need to meet one of the other conditions provided for in the GDPR, such as putting in place the “standard contractual clauses” or “binding corporate rules”. A rigorous exercise in ensuring the security of transferred data would be required as part of that. Significant resources would need to be expended by every affected organisation to ensure that they were able to continue transferring data.
Any chess master reading this will by now have wondered – what about data transfers going the other way, from the UK to the EEA? The UK’s version of the GDPR (known as UK GDPR) now requires any transfers of personal data out of the UK to meet one of the same conditions as the EU GDPR. Again, the best way of achieving that is to have an adequacy decision. Fortunately, the UK’s Exit Regulations effectively established adequacy decisions in favour of the EEA and all those other jurisdictions in respect of which the EU had previously granted an adequacy decision (eg Argentina, Israel, Japan, New Zealand, Switzerland). So exports of personal data from the UK to those jurisdictions can continue as they took place when the UK was in the EU.
We’ll keep an eye out for whether and when a UK adequacy decision is made – in the unlikely event that it isn’t, there may be a mad rush to put alternative measures in place.