In a spectacular display of brinkmanship, the UK agreed a trade deal with the EU 27 at the eleventh hour, prompting a collective sigh of relief on both sides of the Channel. Although tariff and quota-free trade is the most notable aspect of the 1265 page EU – UK Trade and Cooperation Agreement (TCA), it does cover a number of other areas including digital, of which data protection forms a part.
As we have mentioned in a previous article, the Information Commissioner’s Office (ICO) had already confirmed those organisations complying with the GDPR are in a good position to comply with the post-Brexit data protection regime. Having agreed a transition period during which the EU is assessing the UK’s data protection framework with a view to conferring adequacy, we have now come a step closer to be granted adequacy status following the publication of two opinions by the European Data Protection Board (EDPB).
Background to the adequacy decision
Although the UK is now considered to be a ‘third country’ under the EU GDPR, both sides had agreed a transition period until 30 April (to be extended to 30 June by mutual agreement) during which time data transfers between the UK and EEA will continue as they did while we were an EU member. This means that UK businesses can continue to receive and send personal data from and to the EU during this transitional period on the assumption, of course, that they are compliant with current legislation. This transitional period is being used by the EU to determine whether or not the UK provides an adequate level of data protection. If the EU makes an adequacy decision in favour of the UK (which is looking more likely in the light of recent EDPB opinions) then personal data can continue to be transferred to the UK from the EEA without the need for additional safeguards.
For those businesses that are already EU GDPR compliant (which should be the case for those regularly transferring or receiving transferred data) or for those that do not transfer data outside the UK, there is nothing else, at the moment, that they need to do. The UK government has already confirmed that there will be no restrictions on personal data being transferred to the EEA at the end of this transition period, although this will be subject to review. If the EU determines that the UK level of data protection is inadequate, then it will seek further safeguards including contractual obligations to protect personal data transfers which, for most businesses, means the adoption of Standard Contractual Clauses (SCC) which we have considered in more detail in a previous article. In the absence of either an adequacy decision or safeguards, some organisations may be able to rely on certain exemptions, depending on their reasons for processing personal data (such as law enforcement), which are explained on the ICO website.
One step closer to an adequacy decision in the UK’s favour
To date, only 12 countries have achieved adequacy status with the EU so, although there is no reason why the EU should not make an adequacy decision in our favour, the UK cannot take it for granted. Therefore, the release of two EDPB opinions in relation to the conferring of adequacy status on the UK on 13 April was very welcome. The first opinion (14/2021), based on the GDPR, covers general data protection aspects as well as government access to personal data. The second opinion (15/2021) assesses the UK data protection framework in relation to the Law Enforcement Directive (LED). In essence, both opinions underline the fact that the EDPB has found ‘strong alignment between the LED framework and the UK legal framework’, particularly in key areas including processing data for legitimate purposes; purpose limitations; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and automated decision making and profiling.
This means that the UK is on track to achieve adequacy status, providing its standards of data protection remain aligned to those of the EU. The EDPB noted that there were still matters that required additional, careful assessment including ‘immigration exemption’ and onward transfers of EEA personal data from the UK to third countries (this was particularly with reference to transfer of data to US law enforcement agencies where UK data law does not apply).
Make sure your business complies with data protection law
Although the EDPB’s opinions are not binding, they have weight and will help the UK’s case for equivalence in data protection matters. However, the EDPB has directed the EC to continue to monitor the situation to ensure the UK maintains its current level of protection of personal data transferred from the EU. Given that the GDPR is already incorporated into UK law and that the government has repeatedly confirmed that it has no intention of diluting our data protection laws, there is no reason to suspect that the EU will not make an adequacy decision in our favour. Nonetheless, if your business relies on personal data being transferred from EEA countries (the EU 27 plus Norway, Iceland and Liechtenstein) then there are a number of steps you need to take to determine that you are fully compliant with the existing legislation and that you have appropriate safeguards in place, such as the SCC. We have been advising businesses on their data protection obligations and how to comply with data protection law for several years.