The U.K. has left the EU and must now negotiate a new relationship with its largest and most important trading partner.
Conversation around the UK/EU trade deal has mostly focused on how goods will be exported and imported in the future. However, UK trade with the EU is also conducted away from customs locations at sea, rail and airports, particularly when it comes to the trade in services which make up a majority of the UK’s trade with the EU.
The UK is a major data hub, while the UK makes up around 3% of global GDP, 11.5% of global cross-border data flows pass through the UK, 75% of this traffic is with the EU. Data will therefore be a major component in the future relationship with the EU, with both the trade in goods and services underpinned by exchanges of data.
When the U.K. was a member of the EU it was bound by common rules on data protection with the UK’s data protection authority, the ICO, sitting on the pan European data protection forum, the European Data Protection Board (EDPB). As part of this the flow of data between the UK and the EU was relatively free, meaning individuals, companies and public authorities could transfer data across the EEA as if it were a single state, as long as data protection rules (the GDPR) were followed.
During the transition period there will be no change to UK data protection rules, it will be business as usual as set out here in a notice from the ICO.
However, at the end of the transition period the U.K. will be a third country, no longer part of the EU’s data protection regime and as a result there will be no intrinsic entitlement to allow data to be transferred between the U.K. and the EU.
To facilitate the future exchange of data, such as personal data, these exchanges will need to be governed either under an agreement between the U.K. and the EU known as an adequacy agreement or through special clauses known as appropriate safeguards.
The ICO has published guidance here on the end of the transition period, as well as a statement on the recent ruling of the CJEU in the Schrems II case.
A positive adequacy decision between the UK and the EU is overwhemingly in the interests of both sides, as well as the thousands of UK and EU individuals, businesses and civil society groups that exchange data every day. An adequacy decision also does not place legal restrictions on the autonomy of either the UK or the EU, and supports the objectives of both sides for achieving a new and benefical trading relationship.
The below FAQs set out the circumstances under which personal data will be able to be exchanged between the U.K. and the EU in the event of a positive adequacy decision being granted as well as in the case where a decision is not reached.
- What is an adequacy decision?
- Does an adequacy decision mean the U.K. must follow EU rules?
- Will the UK’s data protection rules be different at the end of the transition period?
- How long does an adequacy decision take?
- What happens if an adequacy decision isn’t granted?
Adequacy is a process created by the EU to certify that a country (or sector within a country) meets equivalent standards to EU rules on data protection.
Countries can apply for and may be granted adequacy by the European Commission (EC) if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. This requires an assessment by the European Commission.
Receiving a full adequacy decision allows personal data to be transferred to and from the EEA as long as the relevant local data protection rules are followed. If the EC won’t grant a full decision, partial adequacy decisions can be granted allowing certain sectors or registered companies to transfer data. For example, the EU has a partial decision with Canada.
The Political Declaration signed between the UK and the EU sets the framework for an adequacy assessment to be made and commits both sides to try and conclude this by the end of December 2020. If the UK receives a positive adequacy decision data transfers will continue much as they did before the UK left the EU, with UK companies required to comply with UK domestic rules (The Data Protection Act 2018) to meet the requirements to allow a legal transfer.
You can read more detail on adequacy and international transfers in techUK’s report No Interruptions.
No. The political declaration between the two sides notes that the UK will be establishing its own international transfer regime while the guidance in the UK and EU’s drafts of their negotiating objectives notes that both the UK and EU will retain autonomy over the design of their own data protection rules.
Under adequacy there will be a review by the EU of the UK’s adequacy status at least every four years, which will take into account any relevant developments, however this does not limit the legislative ability of the UK on data protection.
Adequacy also does not prevent the UK from negotiating and signing digital trade chapters in future free trade agreements. New Zealand holds an EU adequacy decision while also being a signatory of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTTP). Japan also holds an EU adequacy decision while being party to agreements and negotiations which cover digital trade, such as the CPTTP and the U.S.-Japan Digital Trade Agreement.
The UK’s departure from the EU will mean that the UK and EU will have legally separate approaches to data protection in the future. This is similar to other countries the EU has adequacy agreements with.
As we understand it there are no plans for new UK laws on data protection, none were announced in the Government’s Queens speech. Further in the Governments outline of its negotiating position in a written statement to Parliament the Prime Minister set out that the UK would have exactly the same regime on data as the EU at the point of exit.
The UK is currently reviewing its data strategy and international transfers regime, however major legislative changes are likely some time away. Similarly, the EU is looking at updating its own data protection rules through a review of the GDPR.
The shortest time an adequacy decision has been completed in was 18 months (with Argentina).
However, because the UK and the EU apply very similar data protection laws the UK is an unprecedented case, meaning that it is hard to judge based on on past decisions.
The UK’s security services will come under scope in this decision. As a third country UK security services are not exempted from assessment under the adequacy process.
This has been a known issue since before the assessment began.
The EU will be able to insist on conditions when granting adequacy that could allow the UK and the EU to reach a positive outcome. The EU and the UK may also agree a security partnership through the FTA negotiations which could support a positive adequacy decision.
If an adequacy decision is not granted by the end of the transition period, the UK and EU will exchange data based on their individual international transfers rules.
At the moment as both the UK and EU have similar rules based on the GDPR there are clearly defined processes for transferring data requiring the use of appropriate safeguards, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs).
The ICO has provides detailed information on appropriate safeguards, as well as examples of model clauses which can be used here.
In the preparations for the end of the transition period the UK Government has stated that it will automatically recognise the EU as adequate for data transfers. This means that outbound transfers of data from the UK to the EEA will not be restricted as long as UK data protection rules are followed.
However, the EU has made no such commitment meaning that appropriate safeguards would be needed for inbound transfers, from EEA based entities to the UK. If these were not followed EEA based entities could be investigated and fined by the data protection authority of the host member state.
For further information ICO guidance on international transfers can be found here.