In the run up to Christmas it was clear that there was no time for a formal EU Commission decision of adequacy for the UK before the year end. The only hope was a political deal - with some of us hoping we could exchange fish for data! We therefore breathed a sigh of relief when the news filtered through that the EU-UK Trade and Cooperation Agreement (the TCA) agreed on 24 December included a temporary solution for the continued free flow of personal data between the EU and the UK. This ‘bridging’ solution is the next best thing to a formal adequacy decision, but what exactly does it do and are there any other implications for Brexit and data privacy?
EU-UK data flows under the TCA
The TCA allows for transfers of personal data from the EU to the UK to continue seamlessly for an interim period of four months, with a possible two-month extension. This will also apply to the other EEA states assuming they opt-in. It is hoped that this interim period will allow the EU Commission to adopt an adequacy decision in respect of the UK.
The ‘bridging’ arrangements for data flows are based on the assumption that the UK’s current data privacy legislation will remain in place during the interim period. Amendments to align UK legislation with EU data protection law are permitted but if other changes are made, or certain powers are exercised, without the EU’s consent, then this bridging arrangement may come to an end early.
What about transfers from the UK?
The UK had already deemed the EEA member states, and the countries that benefited from an EU adequacy decision as of 31 December, to be adequate for transfers from the UK, and the TCA doesn’t change this.
Existing EU SCCs continue to be valid for transfers out of the UK to non-adequate countries. For new transfers, the EU SCCs can continue to be used (although a number of the terms don’t make sense post Brexit) or they can be amended first to reflect Brexit (but nothing else). The latter seems a better approach and the ICO has helpfully prepared versions with suggested amendments.
The EU’s consultation on new EU SCCs closed before Christmas and final versions of those are awaited. We also expect there to be new UK SCCs in due course. This is therefore an area businesses should monitor.
Although the Schrems II decision will continue to apply to the UK, guidance from the European Data Protection Board (EDPB) is no longer directly relevant in the context of the UK GDPR. Thus the EDPB’s guidance on supplementary measures, once finalised, won’t apply to transfers subject to the UK regime. That said, it clearly still provides helpful guidance on certain issues and the ICO has stated that it will consider such guidance to be an indication as to what is good practice. In any event, the ICO intends to publish its own guidance on this topic - it will therefore be interesting to see the extent of any divergence that appears.
Other implications of Brexit on data privacy compliance
As we explained in a previous article in October 2020, international transfers are only one of the implications of Brexit on data privacy. The other implications were never expected to be part of any political deal and so they all kicked in on 1 January, including for instance, the need to identify whether a business is subject to the extra-territorial provisions of the EU GDPR and to identify a new lead supervisory authority.
What should businesses do now?
An adequacy decision from the EU now seems much more likely – after all, there appears to be political will for this to happen and, from a legal perspective, the UK and EU data privacy regimes are obviously well aligned. However, there is still pressure on the EU Commission following the Schrems II decision to go through the UK’s surveillance powers with a fine toothcomb. Whilst the mood music is positive, ultimately there can be no certainty that a positive adequacy decision will be forthcoming.
There is no harm in entering into SCCs now (as recommended by the ICO in its statement of 28 December) in case the positive adequacy decision is not arrived at. However, this takes internal resources when there are plenty of other things to do too. In many cases, it will therefore make sense to watch and wait for the next few months and assess where we are at come the end of March, as that would still likely leave 3 months to put SCCs in place if necessary. If, however, you haven’t yet addressed the other Brexit impacts on data privacy, now is the time to do so.
In these tumultuous times, any positive news is welcome and our initial optimism on the free flow of data from back in November 2017 has, for the time being at least, been restored.