On 24 December 2020, the UK and the EU agreed the Trade and Co-operation Agreement between the EU and the UK (the “TCA”). The full text of the TCA can be found here.
Among the many arrangements that came into force at the end of the Brexit transition period at 11pm on 31 December 2020 was a new arrangement relating to the protection of personal data. In this insight article, we set out how the law in relation to data protection works following Brexit. It is of relevance to businesses, third sector or public sector organisations who process personal data (i.e. just about all of them) particularly if they transfer personal data outside the UK, for example if their IT system stores personal data to a Data Centre in an EU Member State such as the Republic of Ireland, or in the Cloud.
Before the end of the transition period, UK data protection law was chiefly governed by the EU’s General Data Protection Regulation (EU) 2016/679, the EU GDPR, which was directly applicable in UK law. The Data Protection Act 2018, which supplemented the EU GDPR, set out certain exemptions and also covered areas not dealt with by the EU GDPR such as law enforcement and intelligence services.
The new UK data protection regime is now made up of the Data Protection Act 2018 and a retained version of the EU GDPR, which has been amended so it can work under domestic UK law. It’s now known as the UK GDPR. This UK GDPR will not necessarily remain aligned to the EU GDPR if the EU GDPR is amended in the future, but the UK may choose to do so.
However, just to complicate matters, the EU GDPR may sometimes continue to apply to processing activities by UK based data controllers and processors as it can, in some circumstances, apply in foreign jurisdictions.
As a consequence of all of this, on the surface, UK data protection law in 2021 broadly looks much the same as it did in 2020. But when you look below the surface, quite a lot has changed.
Looking at it another way: the basic software of UK Data Protection 2.0 runs much the same as Version 1.9, but the underlying Operating System has changed substantially.
In the meantime, in terms of digital trade, Part Two, Title III of the TCA agreed between the UK and the EU has been implemented in UK law by the EU (Future Relationship) Act 2020.
This sets out an agreement on digital trade which includes some of the ground rules between the UK and the EU on the protection of personal data.
Importantly, Article “DIGIT.6” of the TCA provides that cross-border data flows shall not be restricted by the UK or the EU implementing requirements on the localisation of data, such as laws by requiring or prohibiting data storage or processing within each party’s territory.
A key concern of UK based data controllers and processors has always been that that the EU GDPR can prevent the transfer of personal data outside the European Economic Area to a third country. This was except where the EU Commission has issued an “adequacy decision” approving the third country’s data protection regime as meeting EU standards, or where other “appropriate safeguards” have been put in place. Examples of this could include the use of legal mechanisms such as the “EU’s Standard Contractual Clauses” or “Binding Corporate Rules”.
The UK had already issued its own adequacy decision on transfers of personal data into the EU, but a ‘known error’ was that there might be a difficulty in getting that personal data back from processors based in the EU.
It had been hoped that the Trade and Co-operation Agreement (TCA) would include an inbuilt EU adequacy decision in relation to the UK’s data protection laws.
The TCA doesn’t quite go that far.
Instead, Article “FINPROV.10A” of the TCA includes an interim provision whereby the UK will not be treated as a ‘third country’ for EU GDPR purposes for a period of up to 6 months or, if earlier, until there is an adequacy finding for the UK.
This gives important breathing space to organisations that have not yet addressed transfers of personal data from the EU to the UK while the EU Commission continues its assessment of adequacy for the UK.
The failure of the EU Commission to issue an adequacy decision has come in for a lot of criticism. After all, the UK data protection regime is (for now) closely modelled on its EU equivalent.
Possibly the EU’s logic was that it did not want to bake adequacy into the TCA because it needed a more unilateral right to withdraw it if the UK’s regime diverged in the future?
In a statement made on 28 December 2020, the UK Information Commissioner welcomed the “breathing space”, but advised that organisations should continue to work on alternative transfer mechanisms as a sensible precaution.
In the meantime the EU is working on addressing the ‘known error’ in its current crop of Standard Contractual Clauses, and we would hope that in time the new form of EU Standard Contractual Clauses will be available even if the EU Commission does not issue an adequacy decision.
For more information on how the changes in data and information affect you or your business, contact our Head of Data & Technology Partner Douglas McLachlan who specialises in information technology and data protection law advice.