This extension does not affect other obligations under GDPR that are triggered by the end of the Brexit transition period, for example the obligation on some UK entities to appoint an EU representative (see our Brexit risk register for more information).
As data protection experts will know, GDPR prohibits the transfer of personal data from the EEA to third countries unless individuals’ data is protected by one of the GDPR approved transfer mechanisms, or if one of certain limited exceptions applies. These requirements on cross-border data transfers apply in addition to the overarching GDPR principles, for example that processing must be lawful, fair and transparent.
The Agreement provides EEA and UK organisations with further breathing space to ensure an appropriate transfer mechanism is in place. The simplest transfer mechanism that many have been hoping for is an awaited EU Commission decision that the UK offers “adequate” protection for personal data transferred from the EEA. Whilst the Commission has started its evaluation, there is no set time frame for when the decision will be made, and concerns have been expressed by some commentators that the breadth of UK national security surveillance legislation might prevent the UK being deemed “adequate”, particularly against the backdrop of the Schrems II decision. The safest course for organisations, particularly for any sensitive or critical EEA to UK data flows, is therefore to ensure that appropriate alternative measures are in place, such as standard contractual clauses.
The extension period under the EU-UK Agreement is conditional upon the UK maintaining its current data protection regime during that period, with prohibitions on the UK approving new cross-border data transfer mechanisms, unless the EU consents. The Agreement provides that the extension period ends automatically if the EU Commission adopts a UK adequacy decision.
The Agreement also contains a wide range of safeguards where personal data is transferred between the EU and UK for the purposes of law enforcement and judicial cooperation in criminal matters.
There are other provisions in the EU-UK Trade Agreement concerning data flows and related matters, although these are mainly of relevance in shaping future UK and EU legislation rather than being of immediate practical relevance to organisations preparing for the new EU-UK relationship:
- Prohibitions on measures that would constrict EU/UK data flows, such as those requiring personal data to be stored or processed in a particular jurisdiction
- Acknowledgement of the rights of the UK and EU to each adopt new measures for the protection of personal data and privacy, including relating to cross-border data transfers, on condition that the measures enable “transfers under conditions of general application” for the protection of data transferred. A footnote specifies that these conditions should be “formulated in objective terms that apply horizontally to an unidentified number of economic operators and thus cover a range of situations and cases”
- Provisions intended to ensure effective legislative protection of individuals against unsolicited direct marketing, including requirements for individuals to provide consent in accordance with local law requirements. There is an exception to the consent requirement where the relevant contact details were collected in the context of supplying goods or services, where marketing communications may be sent for similar goods and services. The EU has been seeking to update and strengthen its legislation on direct marketing and cookies for some years; it remains to be seen whether those reforms will be agreed amongst the EU institutions and member states in 2021; there is much less certainty over whether the UK would consider making similar changes at some point in future
- Provisions to encourage cooperation between specified EU and UK entities and national authorities on cyber security issues.
Prime Minister Boris Johnson has suggested that data, along with animal welfare and chemicals are areas where the UK could diverge from EU standards. However there are some practical limitations on the direction of any divergence in data standards; for example, under EU law any significant weakening of data protection standards in the UK would likely jeopardise the ability of EEA data controllers and processors to transfer personal data to the UK, given the provisions in GDPR mentioned above.
As far as the UK’s own data protection regime is concerned, from 11pm on 31 December 2020 “UK GDPR” comes into effect, supported by the UK’s Data Protection Act 2018 (as amended). As regards transfers of personal data from the UK to the EEA, the new UK regime provides that data transfers to EEA countries are permissible, although the regime may be subject to review in the future.
For more information on GDPR, data protection or cybersecurity please get in touch.