After the political and constitutional upheaval of the last four years that has been Brexit, a trade deal—the EU-UK Trade and Cooperation Agreement—was finally reached between the United Kingdom (UK) and the European Union (EU) on December 24, 2020, just days before the deadline when the UK was set to crash out of all EU treaties.
Amongst the rules about how much fish a French fisherman can catch off the coast of Scotland and whether a vaccine approved in Denmark can be used in the UK, a number of well-meaning pronouncements were agreed regarding the use of personal data and its flow across borders.
The UK has always held the view that, given up until now, both the UK and the EU have had identical privacy law frameworks under the GDPR, it would be safe to send the personal data of UK citizens to any country in the European Economic Area (EEA). To date, the EU has made no reciprocal declaration and wants six more months to consider its position. It has always been difficult to see how the EU could say that the UK’s data privacy laws did not give adequate protection to EU citizens, but during this bitter divorce process the EU has simply repeated the refrain that “nothing is agreed until everything is agreed.” Thus, in the middle of this nearly 1,500-page agreement has been inserted a four to six-month interim period during which personal data can flow both ways while a final decision on the UK’s “adequacy” status is made. An adequacy decision is a formal step of the European Commission that needs approval by other institutions of the European Union that will take a little more time to achieve.
The six-month grace period is subject to conditions. If the UK amends existing data protection laws during this period without agreement of the EU Partnership Council (which will work out the details of the UK-EU trade deal), this “bridging mechanism” will terminate when “the powers are exercised or the amendment comes into force.” Given these conditions, the UK is unlikely to change its privacy laws or negotiate agreements with third-party countries concerning the flow of data in this interim period. During this time, business owners may operate safe in the knowledge that currently no additional measures relating to transfers of personal data from EU member states to the UK are required.
However, if this period should end in June 2021 without the EU having adopted an adequacy decision regarding the UK, there could be an abrupt end to the free flow of data. As a “sensible precaution,” the UK’s Information Commissioner’s Office has recommended that businesses put in place “alternative transfer mechanisms,” to safeguard against any interruption in the free flow of personal data from the EEA to the UK. For the vast majority of businesses, this means “model” or “standard” contractual clauses drafted by the EU Commission contained in a data transfer agreement.
Additionally, businesses that have an entities in the UK but operate or have employees in other European countries will need to appoint official data protection representatives in EU member states and update their privacy notices accordingly.
Obtaining adequacy status from the EU is now the stated aim of these provisional terms of the Brexit trade deal, but it is not guaranteed. Businesses and employers operating in the UK and across the EU may want to use this grace period to prepare for further wrangling between UK and EU trade negotiators.