The Quest for Adequacy: EU-UK Data Transfers after Brexit

Notwithstanding the holiday period, it would have been hard to miss the Christmas Eve announcement of a trade deal between the European Union and the United Kingdom, one week before the end of the UK’s Transition Period at 11pm on 31 December 2020.

While for much of the negotiation period, discussion has been about the conditions applying to the movement of goods between the EU and the UK, another key consideration was data, which could flow freely between the EU and the UK while the UK was a member state.

Now that the EU-UK Trade & Co-operation Agreement (TCA) has taken effect and the Transition Period has ended, UK is now for EU purposes a “third country”, like the United States, Australia, Angola or anywhere else outside the bloc. 

However, vast amounts of EU citizens’ data was (and likely still is) processed in the UK, which prior to exit was by a distance the largest data centre market in the EU, with around 858,000 square meters of data space as of December 2019.

Adequacy

The General Data Protection Regulation (GDPR) which has direct effect in the remainder of the EU, no longer applies in the UK.

However, the UK largely copied the GDPR, using the Data Protection Act 2018 to make amendments reflecting the practicalities of applying the GDPR to the UK only; into an instrument it has called the “UK GDPR”, with the same standards, rights and underlying structures as the original EU version.

One of these underlying structures is the system of adequacy decisions, whereby the EU (or in the case of the UK GDPR, the UK) assesses the data protection standards of another jurisdiction, and deems it to offer an “adequate” level of protection, such that EU (or UK) citizens’ data can be safely sent there without further measures.

It was hoped that the UK GDPR would be the basis for the EU to grant an adequacy decision to the UK, as it has done already for Andorra, Argentina, Canada (in respect of commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay. If this was done before the end of the transition period, data could continue to flow freely as it had during the UK’s membership.

In the absence of an adequacy decision, data transfers to the UK would be treated like those to any other third country. That is, they would be unlawful unless made subject to appropriate safeguards such as:

• The third country establishment adopting Binding Corporate Rules (BCRs), which are capable of enforcement by data subjects against an establishment within the EU, and approved by a national data protection authority (“National DPA”) of a member state;
• The adoption by the parties of standard contractual clauses approved by the EU.

Without an adequacy decision or the safeguarding measures above, data may only be transferred if one of a narrow set of derogations at Article 49 GDPR applies.

For its part, the UK has rolled over all of the EU’s adequacy decisions, and granted one for the EU, so that the data of UK citizens can go to the EU under the UK GDPR.

What’s happened?

There has been no adequacy decision from the EU in respect of the UK. For the time being, the TCA sets up a “bridging period”, allowing the UK not to be treated as a third country for data purposes until 1 May 2021. During the bridging period, or until the EU makes an adequacy decision (if earlier), data flows between the UK and EU may continue as normal. If the EU has not made an adequacy decision by 1 May 2021, a further extension to 1 July 2021 takes effect automatically, unless either the EU or the UK objects.

During the bridging period, the UK must not amend its data protection legislation, nor exercise certain powers listed under Article FINPROV.10A of the TCA without approval from the TCA Partnership Council (the “TCAPC”), a bilateral body set up under the TCA for dialogue and the settling of disputes. The bridging period ends if any such amendment takes effect before the EU has made an adequacy decision.

The UK can make changes to maintain its current alignment with EU rules should the EU make any changes during the bridging period. The most likely application of this would relate to the EU’s draft updated Standard Contractual Clauses (SCCs), which it is likely to adopt during the bridging period. These SCCs are likely to serve as the primary means of transferring data to the US following the Schrems II ruling. The UK may choose to adopt these clauses for the same purpose.

So I can continue transferring data from the EU until 1 May?

Mostly. 11 of the 12 jurisdictions listed above have said they will maintain data flows with the UK during the extension. Andorra has not done this, so if for whatever reason your business receives the data of Andorran citizens; you will need to review the requirements Andorra has put in place to continue to do so.

Further, the TCA includes the approval of BCRs as a listed power requiring the approval of the TCAPC in order not to end the bridging period. If your business already has BCRs, which were approved by a National DPA other than the UK’s Information Commissioner (the “ICO”), they must be resubmitted to the ICO for re-approval by 30 June 2021. Any business wishing to adopt new BCRs, where intended for use under both the UK and EU versions of GDPR, will need approval from both the ICO and a National DPA in the EU.

It has not been made clear whether such approvals from the ICO will engage Article FINPROV.10A, although we would hope for confirmation that they do not, given that they would relate to BCRs previously (or concurrently) agreed under the EU’s GDPR regime.

An adequacy decision for the UK from the EU is not a formality. In particular, the EU is now able to take account of security derogations that it could not while the UK was a member state. Given that security and intelligence issues are the basis of the EU’s data sharing quarrels with the United States, the intelligence arrangements (and potential development of those arrangements) of the UK are likely to be combed over in detail by the EU before making its decision.

While data can flow freely between the UK and EU as it did before, until at least 1 May 2021, businesses would nevertheless be wise to prepare for a world in which the UK does not get an adequacy decision and eventually becomes a third country for data.