The UK/EU Trade and Cooperation Agreement and data protection: what you should do now

Screenshot of title page of the EU/UK agreement I know it's Christmas. And I know I'm supposed to be on holiday. But I also know that some of you have been planning for, or even just worrying about, what you need to do to prepare for the end of the Brexit transition period, in terms of data protection.

Hopefully, this can help put your minds at rest, at least for a little longer.

The UK has left the EU, but is in an odd "limbo" state

The GDPR imposes rules on the transfer of personal data countries outside the EU, with a goal of ensuring that people's data received an essentially equivalent level of protection.

The rules typically require a combination of legal stuff and technical / operational stuff, and exactly what is required depends on the nature of the transfer and the protections afforded by the country to which the data are transferred.

In terms of the "legal stuff", the best outcome is that the country's laws are deemed by the European Commission to be "adequate". Other options include some standard contractual clauses — the "model clauses" — or some mechanisms suited to isolated transfers.

Even though the UK has left the EU, it's in an odd "limbo" situation.

What the agreement says about international transfers

Article FINPROV.10A, entitled "Interim provision for transmission of personal data to the United Kingdom" says this:

For the duration of the specified period, transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law, provided that the data protection legislation of the United Kingdom on 31 December 2020, as it is saved and incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018 and as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 201987 (“the applicable data protection regime”), applies and provided that the United Kingdom does not exercise the designated powers without the agreement of the Union within the Partnership Council.

This also applies to transfers of personal data from Iceland, Liechtenstein and Norway.

There is no "adequacy" decision in this agreement, but you don't need model clauses... yet

There is a lot of debate in the data protection community as to whether the UK would be found to be "adequate" (and, if it is, whether that decision would survive a court challenge, such as the litigation about the EU-US "Safe Harbour", and then "Privacy Shield", frameworks).

Speculation doesn't really help anyone, in my view, and it certainly doesn't replace the need to be prepared for a situation in which the UK's laws are found not to be adequate.

The agreement does not say that the UK's laws are adequate, which is not a surprise.

Instead, it says that the approach taken during the transition period will continue for four months (possibly six) from the date the agreement enters in force, unless there is an adequacy decision before then, or unless the UK amends its data protection laws in a prohibited way ("taking back control", hah!).

So, in essence, we'll be doing this all over again in four to six months, unless something happens (positive or negative) before then.

The Information Commissioner has described this as:

the best possible outcome for UK organisations processing personal data from the EU.


What you should do now

  • Enjoy your Christmas break, if you are having one.
  • Carrying on operating in compliance with the GDPR.
  • If you have not done so already, map transfers of personal data from the EEA: work out what data you are getting from where, and why. Use this to work out what mechanisms might be available to you, if the UK does not get an adequacy decision.
    • We can help with this, especially if this doesn't mean much to you.
  • You do not need to sign, or offer to enter into, "model clauses" in respect of transfers from the EU to the UK.
    • It's unlikely to be in your interests to sign them, but if it's a choice between signing them and getting a deal, and not signing them and losing the deal, it might be something to consider on a case-by-case basis.
    • If you have contract clauses which entail you entering into the model clauses automatically on "exit day", or something like that, review (and probably revise) these promptly.
  • Keep an eye out for any adequacy decision (or refusal to give an adequacy decision) in the next few months.
  • Be prepared to go through this palaver in the next four (perhaps six) months, or sooner if the UK amends its data protection laws.

We're on holiday until 4th January, but do get in touch in you need a hand with anyone of this.

I want to read the detail for myself

Fair enough! It's here.