The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter
So…it’s here! Despite many saying it was not possible, a free trade deal has been done. Whether it’s a good deal or a bad deal for the UK is yet to be determined, but a deal has been done nonetheless. The EU and the UK have documented a 1246 page trade and cooperation agreement. At the time of print, the deal has not yet gone through the formal ratification process but it is looking like this will be a formality. The EU member states have been kept updated by Michel Barnier so if there were any issues we would probably already know about any dissenting voices and, the leader of the opposition (Labour) has indicated he will ask his party to vote in favour of the deal when it reaches the floor of the houses of parliament. So whilst there are dissenting voices in all parties, in particular the Scottish National Party (SNP) the UK will end the transition period and enter into a new free trade relationship with the EU somewhere shortly after the 1st January 2021. But what about data protection you ask? What does the trade deal say about adequacy? Can data flow freely between the UK and the EU and vice versa? Here are some key points from a cursory scan through those thousand-plus pages!!
Cross-Border Data Flows
It was pretty obvious that trade between the UK and the EU would have ground to a halt without the ability to transfer data. As such data flows (and by proxy Data Protection) is a key theme throughout the trade agreement. Article DIGIT.6 lays out that both sides:
“are committed to ensuring cross-border data flows to facilitate trade in the digital economy. To that end, cross-border data flows shall not be restricted”
The conditions in which data shall not be restricted are then laid out. What this section essentially means is that UK companies will not be compelled to store EU data (including personal data) in a particular EU member state but can still store this data in the UK or another EU state. So, if you have data stored in a data centre in Ireland, then you’re likely to be ok on the 2nd Jan 2021. Now, in three years, that could be a different story.
Carve-outs for Law Enforcement, Intellectual Property, Travel, Drivers and the IMI System
The trade agreement has specific provisions clauses covering law enforcement which was to be expected given how data protection law in this area is treated at the national level and the need to cooperate with organisations such as EUROPOL (e.g. Arrest Warrants), the European Courts (e.g. Exchange of Criminal Information) and Financial Institutions (e.g. Money Laundering/Terrorist Financing).
Similarly, personal data contained in the Passenger Name Record (PNR) is also carved out in TITLE III with strict restrictions to only process data contained in PNRs “for the purposes of preventing, detecting, investigating or prosecuting terrorism or serious crime and for the purposes of overseeing the processing of PNR data within the terms set out in this Agreement.“
Again, to support legal action, personal data is referenced in the Intellectual Property section where such data may be required in support of prosecuting/defending an IP infringement.
Professional Drivers have some carve-outs too. There are provisions in regards to ensuring the processing of personal data for compliance with the aforementioned EU Driving Regulations is not used for any other purpose. In particular, location data, driver cards and certain road haulage records.
Finally, there is a carve-out in regards to the Internal Market Information System which highlights how data shall be exchanged and processed.
Unlikely UK will diverge from GDPR in next three years
The 2nd part of Article DIGIT.6 states:
“The Parties [UK & EU] shall keep the implementation of this provision under review and assess its functioning within three years of the date of entry into force of this Agreement.”
Given how tied up cross-border data flows are with data protection legislation, and retaining any future adequacy decision, I don’t think it is likely the UK will diverge from GDPR in any significant way during this three year period. What will be interesting to see is what happens as we get closer to the end of this three year period? What other trade deals (e.g. USA) will have been negotiated in this time? What we might also see is the UK agreeing it’s own adequacy decisions with other third countries (e.g. USA) but I don’t think either is likely until we get closer to 2024.
An adequacy decision is likely within the next four months
In Article FINPROV.10A there is an interim provision for the free transmission of personal data to the UK (the UK has already deemed the EU DP rules as adequate). The provision basically states that for four months the UK will not be treated as a Third Country so long as the UK doesn’t deviate from UK Data Protection legislation as it stands on the 31st December 2021. The provision then goes on to say that this initial four-month period can be extended for two months as long as either party doesn’t object OR an adequacy decision is adopted OR if the UK uses its designated powers without agreement from the EU. Reading between the lines, it looks like this four-month “specified period” is to give the EU the time go through the separate adequacy decision process and, subject to no deviation during the specified period, I would say an adequacy decision is pretty much guaranteed (save for a potential fly in the ointment relating to the UK’s mass surveillance programmes and compatibility with EU Law). If it isn’t in place in the next four months, then both sides are likely to just kick the can down the road every two months until that decision is published.
Whilst an adequacy decision may be more likely than not, that doesn’t stop such a decision being challenged in the courts in a similar way that Schrems challenged Safe Harbor, Privacy Shield and SCC. Given the time this would take to go through the courts the UK may have already made decisions to diverge from current EU rules which could render any successful challenge of an adequacy decision moot. We will have to wait to see.
A place for the ICO as an observer at the EDPB…for a fee.
UNPRO.1.6 lays out that:
“Representatives or experts of the United Kingdom or experts designated by the United Kingdom shall be allowed to take part, as observers unless it concerns points reserved only for Member States…The representatives or experts of the United Kingdom, or experts designated by the United Kingdom shall not be present at the time of voting.”
DIGIT.16 also states that:
“The Parties shall exchange information on regulatory matters in the context of digital trade, which shall address the following:
(a) the recognition and facilitation of interoperable electronic trust and authentication services;
(b) the treatment of direct marketing communications;
(c) the protection of consumers; and
(d) any other matter relevant for the development of digital trade, including emerging technologies.
2. Paragraph 1 shall not apply to a Party’s rules and safeguards for the protection of personal data and privacy, including on cross-border transfers of personal data.”
This infers the ICO will still be able to attend EDPB meetings, can make limited contributions but will not have any voting rights. The UK will also be required to make a financial contribution (a participation fee AND and operational contribution) in order to attend.
What is less clear is how cooperation will work when it comes to the “one-stop-shop” principle of identifying a Lead Supervisory Authority for the purposes of cross-border processing. I can’t see anything in the agreement that states the ICO will be explicitly permitted to remain within the mechanism at the end of the transition period however COMPROV.10 states:
“The Parties shall cooperate at bilateral and multilateral levels, while respecting their respective laws and regulations. Such cooperation may include dialogue, exchanges of expertise, and cooperation on enforcement, as appropriate, with respect to personal data protection.”
This could infer that the ICO will remain within the One-Stop-Shop mechanism but the working assumption, unless something is communicated that clears this up, should be that from the 1st Jan 2021 the ICO will drop out of the mechanism. Organisations that are effected should seek advice on whether they need to identify a new Lead Supervisory Authority.
No GDPR apocalypse
So, a few initial points from the agreement text. There will no doubt be other nuggets but as more people delve into the detail, those will come out too. Needless to say, there will be no GDPR apocalypse on New Years Day. In echoes of 2000, the forecasted data “end of days” will be somewhat more of a damp squib. Which is, I’m sure for many businesses out there. one less thing they need to think about – and that can only be a good thing given everything else that is going on at the moment!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.