Data, adequacy and the future relationship – an explainer

How will the exchange of personal data be affected by the UK-EU future relationship?

Conversation around the UK/EU trade deal has mostly focused on how goods will be exported and imported in the future. However, UK trade with the EU is also conducted away from customs locations at sea, rail and airports, particularly when it comes to the trade in services which make up a majority of the UK’s trade with the EU.

The UK is a major data hub, while the UK makes up around 3% of global GDP, 11.5% of global cross-border data flows pass through the UK, 75% of this traffic is with the EU. Data will therefore be a major component in the future relationship with the EU, with both the trade in goods and services underpinned by exchanges of data.

When the U.K. was a member of the EU it was bound by common rules on data protection with the UK’s data protection authority, the ICO, sitting on the pan European data protection forum, the European Data Protection Board (EDPB). As part of this the flow of data between the UK and the EU was relatively free, meaning individuals, companies and public authorities could transfer data across the EEA as if it were a single state, as long as data protection rules (the EU GDPR) were followed. Outside of this framework an additional legal basis needs to be found to transfer data with the EU, this is either through a country or sector wide solution known as data adequacy or specific entity to entity contractual solutions.

During the transition period until 31 December 2020 there is no change to UK data protection and transfer rules, it will be business as usual as set out here in a notice from the ICO. However following the agreement of the Trade and Cooperation Agreement (TCA) the UK and EU published a joint statement agreeing a further bridge period of up to six months after the end of the transition period where personal data transfers to the UK will not be considered transfers to a third country. In effect extending the transition period for data transfers.

This means that during the period (intially four months long, but extendable up to six months) personal data can continue to flow as it did during the transition period. This period is to allow for the completion of an ongoing assessment of the UK's data protection rules to determine whether the UK will be granted data adequacy.

However, at the end of this period, unless a positive adequacy decision is given, the U.K. will default to become a third country, no longer part of the EU’s data protection regime and as a result there will be no intrinsic entitlement to allow data to be transferred between the U.K. and the EU requiring a new legal basis.

A positive adequacy decision between the UK and the EU is overwhemingly in the interests of both sides, as well as the thousands of UK and EU individuals, businesses and civil society groups that exchange data every day. An adequacy decision also does not place legal restrictions on the autonomy of either the UK or the EU, and supports the objectives of both sides for achieving a new and benefical trading relationship. 

The below FAQs set out the circumstances under which personal data will be able to be exchanged between the U.K. and the EU in the event of a positive adequacy decision being granted as well as in the case where a decision is not reached how companies can create a new legal basis for data transfers.

 

  1. What is an adequacy decision?
  2. Does an adequacy decision mean the U.K. must follow EU rules?
  3. Will the UK’s data protection rules be different at the end of the transition period?
  4. How long does an adequacy decision take?
  5. What happens if an adequacy decision isn’t granted?

 

1. What is an adequacy decision?

Adequacy is a process created by the EU to certify that a country (or sector within a country) meets equivalent standards to EU rules on data protection.

Countries can apply for and may be granted adequacy by the European Commission (EC) if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. This requires an assessment by the European Commission.

Receiving a full adequacy decision allows personal data to be transferred to and from the EEA as long as the relevant local data protection rules are followed. If the EC won’t grant a full decision, partial adequacy decisions can be granted allowing certain sectors or registered companies to transfer data. For example, the EU has a partial decision with Canada.

You can read more detail on adequacy and international transfers in techUK’s report No Interruptions.

 

2. Does an adequacy decision mean the U.K. must follow EU rules?

No. The political declaration between the two sides noted that the UK will be establish its own international transfer regime while the guidance in the UK and EU’s drafts of their negotiating objectives noted that both the UK and EU would retain autonomy over the design of their own data protection rules. This autonomy was confirmed in the final UK-EU TCA. The agreement contains a commitment from both the UK and EU to maintain high data protection standards as well as Partnership Council and commitment to regulatory dialouge which will allow the UK and EU to continue colaboration on data protection issues.

Under adequacy there will be a review by the EU of the UK’s adequacy status at least every four years, which will take into account any relevant developments, however this does not limit the legislative ability of the UK on data protection.

Adequacy also does not prevent the UK from negotiating and signing digital trade chapters in future free trade agreements. New Zealand holds an EU adequacy decision while also being a signatory of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTTP). Japan also holds an EU adequacy decision while being party to agreements and negotiations which cover digital trade, such as the CPTTP and the U.S.-Japan Digital Trade Agreement.

 

3. Will the UK’s data protection rules be different at the end of the transition period?

The UK’s departure from the EU will mean that the UK and EU will have legally separate approaches to data protection in the future. This is similar to other countries the EU has adequacy agreements with. Both the UK and EU have agreed in the TCA to ensure high levels of personal data protection and to work together on data protection issues.

As we understand it there are no plans to significantly overhaul UK laws on data protection, none were announced in the Government’s Queens speech. Further in the Governments outline of its negotiating position in a written statement to Parliament the Prime Minister set out that the UK would have exactly the same regime on data as the EU at the point of exit. 

The UK is currently reviewing its data strategy and international transfers regime, through the National  Data Strategy however major legislative changes are likely some time away. Similarly, the EU is looking at updating its own data protection rules through a review of the GDPR and the Digital Services Act and Digital Markets Act.

During the additional six month bridge period if the UK makes specifc changes to its data protection regime, such as enacting new Standard Contractual Clauses or Binding Corporate Rules then the EU can halt the assessment and end the bridge period. This would result in a no adequacy outcome and force the UK and EU to exchange data on third country terms.

 

4. How long does an adequacy decision take?

The shortest time an adequacy decision has been completed in was 18 months (with Argentina).

However, because the UK and the EU apply very similar data protection laws the UK is an unprecedented case, meaning that it is hard to judge based on on past decisions.

The UK’s security services will come under scope in this decision. As a third country UK security services are not exempted from assessment under the adequacy process.

This has been a known issue since before the assessment began and to address this the UK-EU TCA contains specific commitments when transfering personal data for security purposes. 

5. What happens if an adequacy decision isn’t granted?

If an adequacy decision is not granted by the end of the six month additional bridge period, the UK and EU will exchange data based on their individual international transfers rules.

At the moment as both the UK and EU have similar rules based on the GDPR there are clearly defined processes for transferring data requiring the use of appropriate safeguards, such as standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs).

The ICO has provides detailed information on appropriate safeguards, as well as examples of model clauses which can be used here. 

In the preparations for the end of the transition period the UK Government has stated that it will automatically recognise the EU as adequate for data transfers. This means that outbound transfers of data from the UK to the EEA will not be restricted as long as UK data protection rules are followed.

However, the EU has made no such commitment meaning that appropriate safeguards would be needed for inbound transfers, from EEA based entities to the UK. If these were not followed EEA based entities could be investigated and fined by the data protection authority of the host member state.

For further information please see ICO guidance on international transfers, there is also UK Government guidance to help businesses prepare for a no adequacy outcome which can be found here.