Both unfinished business and a hot topic

The Trade and Co-Operation Agreement (the TCA) lays the foundations for the new relationship between the UK and the EU in a post-Brexit world and governs a broad spectrum of issues including (amongst other things) trade, standards, competition, taxation, law enforcement and security.

The TCA also addresses, albeit briefly, the issue of data protection and overseas transfers of personal data.

As the continuation of undisturbed cross-border data transfers is fundamental to facilitate the successful trade of goods and services in a growingly digitalised world, it was eagerly anticipated by many commentators that an adequacy decision might form part of the TCA.

Unfortunately, the UK and the EU failed to reach an agreement in the TCA guaranteeing the continuation of free data flows indefinitely and the UK was not given an adequacy decision. Instead, the TCA provides for a grace period whilst the parties work towards an adequacy decision. 

The grace period

The TCA provides an initial grace period of 4 months (commencing on 1st January 2020 and extending automatically to 6 months should neither party oppose such extension) for cross-border data transfers to continue whilst the EU considers the adequacy of the UK’s data protection regime.  Essentially, this means “business as usual” during the grace period.

The continuation of the 4-6 month grace period is contingent upon:

  • The UK retaining its current data protection and ePrivacy regime; and
  • The UK only exercising certain powers within the UK data protection rules upon the agreement of a newly formed UK-EU Partnership Council.

The UK is likely to satisfy the first limb of these requirements with ease: the UK has ePrivacy laws that are largely consistent with the EU equivalent and has implemented the UK version of the GDPR (known as the UK GDPR) with effect from 1st January 2020.

The second limb may prove more difficult for the UK to comply with, as the effect is to restrict the UK’s ability to approve any new mechanism to facilitate cross-border data transfers.  Whilst it is not anticipated that the grace period will come to a premature end, this cannot be discounted.

The TCA does not affect the UK GDPR remaining in force nor any other data protection compliance requirements or transfers to the EU, which have been formally adopted by the UK.

However, if at the end of the grace period, there is still no adequacy decision given by the EU, then this will have significant implications for businesses who deal in overseas data transfers.

What is an adequacy decision?

The EU regulation governing data protection (the EU GDPR) provides the ability for the European Commission to examine a country’s data protection regime and formally recognise a country’s laws as adequate. To be deemed adequate, a country’s data protection laws must offer equivalent protections to citizen’s personal data as afforded by the EU GDPR. The grant of an adequacy decision allows for personal data to be transferred to such country as though the recipient was located within the European Economic Area.

An adequacy decision from the European Commission in respect of the UK’s data protection regime will be negotiated separately from the TCA. An adequacy decision considers the entire range of protection for personal data across both public and private sectors, including the regulations of law enforcement and national security, and the laws of the country in question.

Should an adequacy decision fail to be reached, the transfer of personal data from the EU to the UK shall be deemed a transfer to a “third country”, and appropriate safeguards must be put in place (discussed below).

Why is data protection such an important issue within the TCA?

The international landscape of data protection regimes has experienced seismic change recently as a result of the European Court of Justice’s (the ECJ) landmark finding in the Schrems II case.  In the judgment on this case, the ECJ ruled that the data transfer mechanism known as the “US-EU Privacy Shield” is invalid on the basis that it fails to adequately protect the personal data of EU citizens. This is, in the ECJ’s ruling, due to the remit of US governmental and local bodies to conduct surveillance for reasons of national security.

In the same ruling, the ECJ held that the use of appropriate safeguards such as binding corporate rules (BCRs) or standard contractual clauses (SCCs) to facilitate the free flow of data into and out of the EU must be used only after conducting a due diligence exercise confirming that the receiving entity of the data is able to provide protection to the data equivalent to that afforded by the EU GDPR.

The use of SCCs and BCRs as a mechanism for data transfers are therefore contingent upon the sender of the personal data conducting an audit of their intended recipient and satisfying themselves that the required level of data protection is reached given the overall circumstances of the transfer.

The TCA provides that certain aspects of the agreement (terms in respect of law enforcement and judicial co-operation) may be terminated or suspended should there be a breach of protections for human rights, fundamental freedoms and personal data. The issue of personal data will therefore remain a fundamental issue until an adequacy decision is reached (if any) and presents the potential to impede or terminate the co-operation between the EU and the UK in matters of anti-terrorism, shared intelligence and wider judicial co-operation.

The overall premise of the TCA is to establish a new relationship between the UK and the EU subject to the rules of international law, and in a bid to restore the UK’s constitutional supremacy, the TCA provides for a marked departure from the governing oversight of the ECJ and European law. The UK is now free to carve the future of its own data protection regime on an international platform, and given the different approach taken by the EU and the US in respect of data protection, as highlighted by the Schrems II decision, the grant of an adequacy decision of the UK’s own data protection regime is by no means guaranteed.

We will explore the factors influencing the EC’s decision to reach an adequacy decision for the UK, and the impact the Schrems II case has made within the international data protection landscape, in future updates which can be found on our Brexit Hub.

What measures should businesses take?

The UK’s regulatory body, the Information Commissioner’s Office (the ICO) issued a statement on 28th December 2020 that the TCA was the best possible result for UK organisations processing the personal data of EU citizens as data transfers may continue undisturbed.  However, the ICO also cautioned that businesses should implement alternative transfer mechanisms as a sensible precaution whilst an adequacy decision is considered; this will help to safeguard against any interruption to the free flow of personal data if an adequacy decision is not forthcoming in the next 4-6 months.

From 1st January 2020, two data protection regimes operate concurrently, the UK GDPR and the EU GDPR, and many entities who operate cross-border services or trade in goods may find that they are subject to both regimes simultaneously.

Practical measures businesses should consider include:

  • Seeking early legal advice to minimise the exposed risk of failing to comply with two regulatory regimes and the subsequent increased risk of incurring additional fines or regulatory sanctions;
  • Updating privacy notices and other data protection documents to refer to the correct data protection officers or lead supervisory bodies;
  • Conducting a data transfer mapping exercise to identify data transfers which may require appropriate safeguards to be put in place to continue the permitted transfer; and
  • Conducting a review of existing agreements and the relevant data protection terms to remove reference to out-of-date data protection legislation.

The role of the ICO

The ICO no longer performs a role under the EU GDPR. Businesses are therefore no longer able to appoint the ICO as the lead data protection authority in respect of cross-border data complaints and issues. Organisations who previously nominated the ICO within their BCRs will need to revise their existing terms and appoint a new EU data protection authority.

Appointing an EU or UK Representative

Any UK based entities (with no establishment in the EU) who provide goods or services to EU citizens or who process the personal data of EU citizens, will need to consider whether they are required to appoint an EU representative in order to comply with the EU GDPR.

Additionally, EU based entities conducting cross-border data transfers will need to consider whether they are required to appoint a UK representative to comply with the UK GDPR.

Appointing a Data Protection Officer (DPO)

The requirement to appoint a DPO continues under the UK GDPR. If a business is governed by both the UK GDPR and the EU GDPR simultaneously, it will need to ensure that the DPO remains easily accessible from each establishment.

Here to help

Our expert team of data protection solicitors are able to advise you on the data protection aspects of your business and provide you with the appropriate documentation to ensure your compliance. For further information, you can access our dedicated Brexit Hub section or contact us on 0161 941 4000 or email our data protection specialists.