UK-EU TRADE AGREEMENT ON DATA TRANSFERS
The GDPR framework
The European Union’s (“EU”) General Data Protection Regulation (“GDPR”), which applies in all EU and European Economic Area (“EEA”) Member States, governs the processing of personal data within the EU. While still a member of the EU and during the transition period after its formal withdrawal from the EU, the United Kingdom (“UK”) was included in that arrangement. Post Brexit, the UK will need to rely on the so called “equivalence”, i.e. an assessment taken by the EU commission that the UK’s data protection regime was adequate for the data transfer to be allowed from the EEA to the UK. However, the possibility that an equivalence decision may not be granted by the European Commission, means that after 31 December 2020 personal data cannot move from the EU to the UK without additional safeguards (such as Standard Contractual Clauses, “SCCs”) being put in place between the data exporter in the EU and the data importer in the UK.
The EU-UK Trade and Cooperation agreement
On 24 December 2020, the EU and the UK announced a trade and cooperation agreement that would regulate the relationship between the two parties after 31 December 2020 (the “Deal”), which will provisionally enter into force on 1 January 2021, while awaiting the approval of the EU parliament.
Although the Deal contains very little provisions beyond those aimed at ensuring a flow of goods between the EU and the UK, it does provide a temporary solution to the issue of the movement of personal data from the EU to the UK.
In relation to the issue of the free movement of personal data to the UK, the Deal effectively maintains the status quo until 30 April 2021, or perhaps as long as 30 June 2021 if it is extended. That means that personal data can continue to move freely to the UK as it did until 31 December 2020. This buys everyone time whilst the European Commission continues to consider whether to grant an adequacy decision to the UK under the GDPR and the Law Enforcement Directive (“LED”).
This is particularly welcome, since recent research showed the cost of having to put alternative transfer mechanisms in place could have cost UK businesses approximately £1.6 billion.
The free flow of data can also continue for transfers for law enforcement purposes. This is crucial, as ensuring data can continue to be shared to prevent and detect criminal activity is vital for the security of citizens both in the EU and the UK.
However, the arrangement with respect to the free flow of personal data between the EU and the UK under the Deal comes with a few conditions, specifically that the UK does not exercise certain powers contained within the Data Protection Act 2018 (“DPA 2018”) (the legislation by which the GDPR is incorporated into UK domestic law). In particular, the UK may not under the DPA 2018:
- declare its own decisions regarding the adequacy of other third countries; and
- deviate from the GDPR-provided safeguards for the transfer of personal data to third countries.
The maintenance of the status quo to allow the continued flow of personal data is critical to many operations. It also possibly signals that there is a continued willingness on both sides to work towards an adequacy decision from the EU for the UK. The adoption of an adequacy decision by the EU is a long process and entails: (i) a proposal from the European Commission; (ii) an opinion from the European Data Protection Board (“EDPB”); (iii) approval from representatives of the EU Member States; and (iv) the adoption of a decision by the European Commission.
There is also a wider context to consider. The UK is a departing EU Member State, so to suggest the UK is not adequate would set the bar for adequacy impossibly high. It could create substantial difficulties for the EU in conferring new adequacy decisions (for example on South Korea or on certified US companies under any replacement for the Privacy Shield, the existing data arrangement with the US recently struck off by the European Court of Justice (“CJEU”) as not being sufficiently equivalent to the EU GDPR). It could also prove a barrier to continuing existing adequacy decisions, which are currently being reviewed by the European Commission. Without adequacy, substantial additional compliance burdens would arise for EU businesses which transfer data to the UK, at a time when businesses are already very stretched in the current climate.
Moreover, the burden of transferring data to third countries in the absence of an adequacy decision has increased following the outcome of the Schrems II case, where the ECJ stated that SCCs are valid as a safeguard when transferring data but in addition, surprisingly, that the Commission Decision 2016/1250 on the adequacy of protection provided by the EU-US Privacy Shield, was invalid.
For example, transfer impact assessments require companies to conduct “mini adequacy assessments” of countries to which data is transferred, using the same criteria as the European Commission uses when conferring adequacy decisions. That means assessing the data protection framework in the third country as well as its international commitments and respect for the rule of law, access to justice and international human rights norms (see Article 45(2) of the GDPR). These are complex considerations and particularly difficult for small and medium enterprises to comply with. Adequacy for the UK means that this additional work does not have to be done and data can be continued to be transferred freely, as it is at the moment.
What can happen if an adequacy decision is ultimately not granted?
There has been much speculation about an adequacy decision in favour of the UK being challenged, and potentially being declared invalid by the CJEU, as happened in the cases of Safe Harbor and the Privacy Shield. The Deal provides for this eventuality. In a non-law enforcement context, the Partnership Council, which supervises the operation of the Deal[1], is able to make recommendations to the parties regarding the transfer of personal data in areas covered by the Deal, or any supplementing agreement. This provision potentially allows difficulties to be dealt with before they cause disruption. Alternatively, this could assist in providing a political solution in the event that the CJEU invalidates the adequacy decision for the UK. This is helpful and may avoid the situation businesses found themselves in after the invalidation of Safe Harbor and the Privacy Shield, where they were left with the cost of putting in place new safeguarding mechanisms. The law enforcement provisions in the Deal contain explicit clauses dealing with any invalidation of an adequacy decision. The Deal states that where there are serious or systematic deficiencies “within one party”, including where they have led to “a relevant adequacy decision ceasing to apply”, the Deal enables certain provisions in the law enforcement context to be suspended. At this point, the Partnership Council can explore possible ways of allowing the party that initiated the process for a suspension, to instead postpone its entry into effect, to reduce its scope or to withdraw it. This has the potential to cause tension between the CJEU’s assessment of adequacy and the Partnership Council’s approach. However, it mitigates the risk of losing the adequacy decision in a law enforcement context by allowing a practical solution to arise instead.
This is a welcome innovation.
THE ICO PUBLISHES A NEW DATA SHARING CODE OF PRACTICE
On 17 December 2020, the UK’s supervisory authority for data protection, the Information Commissioner’s Office (“ICO”), published a new data sharing code of practice (the “Code”), which addresses the requirements for data sharing under the GDPR (now the “UK GDPR”, given that it has been transposed into UK domestic law) and the DPA 2018.
Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection obligations when sharing personal data. The Code applies to the sharing of personal data between controllers, as well as when giving third parties access to personal data. It does not, however, apply to data sharing with a processor, nor to the disclosure of data within an organisation.
The Code contains practical guidance for controllers on how they can share data fairly and lawfully and how they can meet their accountability obligations under the UK GDPR and the DPA 2018. Additionally, the Code aims to address misconceptions regarding data sharing. For example, the ICO addresses misconceptions such as those that claim the UK GDPR and DPA 2018 prevent the sharing of data, clarifying that data protection law does not actually prevent data sharing so long as it is approached in a fair and proportionate way. The ICO also addresses the misconception that data sharing can only occur with the data subject’s consent: while most data sharing does not rely on consent, the Code states that if you cannot offer a genuine choice to the individual, consent may not be appropriate.
The ICO also makes clear that personal data can be shared in an emergency as is necessary and proportionate (e.g. to protect public health), which is particularly relevant at the moment.
The ICO recommends as a first step that a data protection impact assessment is conducted when considering sharing personal data. In addition, a data sharing agreement should be in place between organisations when sharing data. Additionally, the Code requires organisations to follow the key data protection principles when sharing personal data and ensure:
- accountability, i.e., being able to demonstrate compliance;
- fairness and transparency;
- data identifying a lawful basis for sharing the personal data prior to sharing; and
- processing personal data securely, with appropriate organisational and technical measures in place.
The Code also offers guidance regarding situations where children’s personal data is shared, or in emergencies (such as situations where there is a risk of serious harm to human life). When sharing personal data of children, the Code states that additional care must be taken, and lists the factors organisations should consider when deciding whether to share children’s personal data, such as having a compelling reason and balancing the best interests of the child against the rights of others.
The ICO also provides in the Code for a data sharing checklist and data sharing request and decision templates. This will assist organisations with their initial decision regarding whether to share personal data or not, and with demonstrating accountability.
To supplement the Code, the ICO also launched a data sharing information hub, which aims to, provide targeted guidance and practical tools for organisations and businesses. Some of these tools include a data sharing checklist, various templates and toolkits, and practical case studies.
The ICO submitted the Code to the Secretary of State on 17 December 2020 and it is expected to receive approval in February 2021.
Please find the new Code here: ICO Code
Please find the new data sharing information hub here: Data sharing information hub
For more information, and any guidance or advice on your commercial contracts and personal data clauses, Cleveland & Co External in-house counselTM, your specialist outsourced legal team, are here to help.
[1] The Partnership Council will supervise the operation of the agreement at a political level, providing strategic direction, and will be supported by a network of other committees. These will provide necessary opportunities for technical discussion to ensure the smooth implementation of the Deal and its stable operation (see Title III of the Deal).