At long last, the EU and the UK have agreed on the Brexit Trade Deal, the “EU-UK Trade and Cooperation Agreement” (the “Brexit Agreement”), which establishes the terms on which the EU and the UK will be trading following the 31st December 2020.
When it comes to the Brexit Agreement’s effects on personal data regulation and on personal data transfers, the terms of the Brexit Agreement can be best described as being no more than an interim gap-stop solution.
1. The Gap-Stop Solution
In terms of the Brexit Agreement’s article COMPROV 10., the EU and the UK both commit to ensuring a high level of personal data protection and to endeavour to work together to promote high international standards. Furthermore, the Brexit Agreement entrenches that each party must recognise that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade.
So far so good. However, the Brexit Agreement does not deal with the “elephant in the room”, namely the key consideration of whether the EU Commission (“EC”) will deem the UK’s data protection legislation as “adequate”, in other words, as substantially equivalent to that of the EU, which would in turn, permit the continued free flow of personal data from the EU to the UK without any additional formality.
In principle as of the 1st January 2021, personal data transfers from the EU/EEA to the UK are to be treated as personal data transfers to a third country, like any other personal data transfers to a non-member state, in accordance with the requirements laid out in the General Data Protection Regulation (“GDPR”), given that the UK will no longer remain a Union member. Furthermore, since the UK has not yet been bestowed an “adequacy decision”, this would also in turn mean that the GDPR would require such transfers to be lawfully made based on alternative solutions, either using “appropriate safeguards” or based on a derogation to the personal data transfer restrictions.
Thankfully however, EU data exporters will not need to rush into identifying and implementing such alternative solutions as the Brexit Agreement’s article FINPROV.10A provides for what is effectively gap-stop solution, in that it postpones the requirement of treating transfers from the EU to the UK as third country data transfers. This postponement will last until an adequacy decision is granted by the EU Commission or until 1st May 2021 (whichever is earlier).
If by the 1st May 2021 no adequacy decision has been issued by the EC, then there will be a further extension applicable until 1st July 2021 and this extension will be automatically triggered unless either party to the Brexit Agreement raises an objection.
It should be noted that such interim solution is subject to the condition that the UK’s data protection legislation remains as “saved and incorporated into United Kingdom law”, that is, based on the condition that the UK does not amend its data protection legislation during this interim period. Furthermore, it is subject to the UK not exercising so called “designated powers” during this interim period which include the power of the UK to issue its own adequacy decisions, to issue standard contractual clauses (“SCCs”) and to approve new codes of conduct, certification mechanisms and binding corporate rules.
If the UK does want to make any legislative change, it could do so with the approval of the Brexit Partnership Council, except for UK legislative amendments which are limited in scope to aligning UK laws with those applicable within the EU. In this regard, it should be noted that earlier on the 12th November 2020, the EC had issued a Draft Implementing Decision on New SCCs together with a draft of the New SCCs. It would appear that the exception to aligning UK rules with those applicable within the EU could be availed of by the UK should it wish to adopt the same draft SCCs. Should you wish to read further about the Draft Implementing Decision on new SCCs, you may access here.
2. Other Key Data Provisions
Technically, the Brexit Agreement sets out that cross-border data flows shall not be restricted between the parties, by a party:
a. requiring the use of computing facilities or network elements in the Party’s territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of a Party;
b. requiring the localisation of data in the Party’s territory for storage or processing;
c. prohibiting the storage or processing in the territory of the other Party; or
d. making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Parties’ territory or upon localisation requirements in the Parties’ territory.
Therefore, in layman terms, “data localisation” requirements are prohibited. However, the Brexit Agreement’s article DIGIT.7.2. should be observed in this regard which states:
“Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred.”
Effectively, this means that restrictions on personal data transfers are possible, insofar as they are not absolute and insofar as the parties treat each other in the same way as they treat any other country.
Furthermore, the provisions on unsolicited direct marketing communications under the Brexit Agreement article DIGIT.14 should be particularly taken note of.
Each party to the Brexit Agreement commits to protecting users against unsolicited direct marketing communications and each party shall ensure that direct marketing communications are not sent to users who are natural persons unless they have given their consent (in accordance with each party’s laws relating to receiving such communications).
Notwithstanding this, each party shall allow any person who may have lawfully collected the contact details of a user in the context of the supply of goods or services thereto, to send direct marketing communications to that user for their own similar goods or services (emphasis added).
3. What Next?
Clarity on upcoming data protection regulation and data flows between the EU and the UK remains elusive especially given that it appears very evident that the Brexit Agreement’s temporary solution is only meant to allow enough time for the EU and UK to respectively adopt adequacy decisions.
Critically, an upcoming adequacy decision for transfers from the EU to the UK appears to by no means a certainty. The earlier Court of Justice of the EU (“CJEU”) Schrems II judgement should be considered in this regard, which essentially had invalidated the EU-US Privacy Shield and ruled against the use of the current SCCs by Facebook and similar companies (you may wish to read further about this here.
Without a doubt, the UK’s data processing laws especially regarding national security and bulk data transmission, will cast a doubt on the UK’s chances of obtaining an adequacy decision from the EC, given the considerations made by the CJEU when invalidating the EU-US Privacy Shield in Schrems II, which considerations seem also somewhat applicable to the UK. Possibly, even if an adequacy decision is indeed granted, complete certainty will only be achieved once the decision is tested before the CJEU given the precedent established by the CJEU in Schrems II.
On the other hand, with respect to personal data flows from the UK to the EU, the UK had already announced that it will, at least in the beginning, consider EU/EEA countries as adequate for the purpose of UK to EU/EEA transfers.
This article was written by Senior Associate Dr Terence Cassar.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.