An interim agreement has been reached between the UK and the EU, allowing data to freely flow from EU and EEA states to the UK for the foreseeable future until an adequacy decision is reached.
After several months of negotiating, the EU and the UK have finalised the terms of the Brexit deal, which includes an interim solution for the transfer of personal data from the EU and the EEA (European Economic Area) to the UK in the absence of an adequacy decision from the European Commission (‘EC’). The agreement means that European-based organisations affiliated with UK companies or that use UK service providers are not required to find alternative solutions to maintain the flow of data as it temporarily keeps the current rules in place for several months, as it was determined that an adequacy decision was not possible before 31 December 2020, the end of the transition period.
The terms outlined in the Trade and Cooperation Agreement (‘the Agreement’) allow companies and organisations to continue transferring personal data for up to six months from 1 January 2021 to allow time for the EC to approve an adequacy decision in favour of the UK. The initial interim period of four months can be shortened if an adequacy decision has been made and extended by two further months, unless either the UK or the EC object. The period will continue so long as the UK maintains its ePrivacy rules and does not amend its data protection legislation or exercise certain designated powers without the EU’s consent. Under the agreement, the UK will not be considered a ‘third country’ for the purposes of personal data transfer during the interim period.
Within the agreement, the UK has further committed to (i) ensuring that individuals are protected against unsolicited direct marketing communications; (ii) not restricting cross-border data flows (e.g. by requiring data localisation or by using locally certified or approved computing facilities); (iii) sharing Passenger Name Record and vehicle registration information regarding international travel; and (iv) cooperating in relation to criminal record information, including fingerprint records and DNA.
Identical laws are not required to gain an adequacy decision, but according to a judgment given by the Court of Justice of the European Union (‘CJEU’), a level of protection that is “essentially equivalent” to that guaranteed under the General Data Protection Regulation (‘GDPR’) is a must. Therefore, there is speculation that reaching an adequacy decision may not be feasible in six months. The EC has previously taken several years to reach a conclusion regarding adequacy for countries such as Israel and Japan. In addition, in spite of the fact that the UK has directly incorporated the GDPR into UK law (referred to as the UK GDPR) alongside an updated version of the Data Protection Act 2018 (‘DPA 2018’) in compliance with the European Union (Withdrawal) Act 2018 (‘EUWA 2018’), there are several factors that could possibly undermine and/or delay the adequacy finding. This may include the UK’s approach to processing mass surveillance information under the Investigatory Powers Act 2016 (‘IPA 2016’), which the CJEU has ruled illegal under EU law and incompatible with the fundamental rights of privacy, freedom of expression, and data protection outlined by the ePrivacy directive and GDPR.
In addition, as previously reported, the high court previously withdrew an adequacy decision given to the United States as it deemed US surveillance laws too intrusive for EU standards. The ruling cast doubt on the legality of using Standard Contractual Clauses as the basis for international data transfers in lieu of adequacy status. It found that, although legally valid, companies were still responsible for ensuring that those they share personal data with will grant privacy protections equivalent to the EU. Thus, the UK’s strong link with the US plays another role in reducing the chances of achieving adequacy status.
Whether the UK receives adequacy status will depend on several factors, but their main focus should be addressing the existing deficiencies in its data protection regime. For instance the divergence between the definition of personal data between the UK GDPR and UK’s 2017 Digital Economy Act, to higher its chances of achieving adequacy status. The EC also cannot ignore the UK’s conduct of mass surveillance, as it was done under laws that fail to satisfy the conditions outlined by the CJEU in Schrems II.
The Information Commissioner’s Office (‘ICO’) has assured businesses and public bodies across all sectors that they are able to freely receive data from the EU and EEA during this period. Information Commissioner Elizabeth Denham stated, “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices”. However, as a precaution, the ICO has cautioned businesses and organisations that adequacy is not guaranteed and a decision may take longer than expected, recommending organisations to consider incorporating alternative transfer mechanisms to safeguard against any interruption to the flow of personal data. While it is possible to transfer data to third countries that are deemed not-adequate, if there are sufficient safeguards in place, such as SCCs. The interim agreement provides a short-term solution instead of placing EU-equivalent alternative or additional transfer mechanisms and, therefore, avoid costs that could otherwise amount to £1.6 billion.