Karen Mc Cullagh (University of East Anglia)
The current Prime Minister of the UK, Mr Boris Johnson, was infamously elected to “get Brexit done,” and he claimed to have achieved this goal when the European Union and United Kingdom agreed upon the terms of the historic EU-UK Trade and Cooperation Agreement (the “Trade Agreement”) on 24th December 2020. However, whilst the ending of the transition period on 31st December 2020 did trigger changes to UK data protection law, the post-Brexit data protection rules are not yet ‘done’. Rather, to avoid a data protection ‘cliff-edge’ the Trade Agreement contains a ‘bridging mechanism’ to facilitate EEA-UK transfers until the European Commission completes its assessment of the UK’s data protection framework. This blog post illustrates that changes to UK data protection law herald a new era of compliance burdens for some data processors, and also explains that whilst the ‘bridging mechanism’ in the Trade Agreement is to be welcomed, the longer-term arrangements remain uncertain, making compliance planning more challenging.
The GDPR and UK GDPR
The first thing to note is that the General Data Protection Regulation (GDPR), as an EU Regulation, no longer directly applies in the UK. However, to ‘maintain the data protection standards in the GDPR in UK law,’ the GDPR has been saved into UK domestic law. It falls within a new category of law created by the European Union (Withdrawal) Act 2018 known as “retained EU law,” and has been renamed the UK GDPR so as to differentiate it from the GDPR. The UK GDPR must be read alongside the Data Protection Act 2018, which gives effect to national derogations permitted by the GDPR.
The UK GDPR and GDPR are for the most part identical, albeit with references to ‘Union or Member State law’ to be read as ‘domestic law,’ and references to decisions made by the EU Commission replaced with references to decisions made by the UK Government. The fundamental principles, obligations on data controllers and processors, and rights for individuals remain the same as those in the GDPR, (save for the one stop shop principle, discussed below), and the Information Commissioner’s Office (ICO) remains the UK’s national supervisory authority, which makes compliance planning and preparation easier. Having said that, the UK GDPR imposes additional compliance burdens on some organisations; not only do UK based businesses that process personal data of individuals in the UK need to comply with the UK GDPR and Data Protection Act 2018, so too do EEA based organisations, including those in Ireland, with or without an establishment in the UK, that offer goods or services, or which monitor the activities of individuals in the UK, as it has extra-territorial effect.
Additionally, UK data controllers without an establishment in the EU that offer goods or services, or which monitor the activities of individuals in EU countries must appoint a representative in an EU country (unless their processing of personal data is occasional and does not include, on a large scale, processing of special categories of data. The role of the representative is largely a passive one – it will be identified in Privacy Notices and can be sent communications from EU individuals and EU data protection supervisory authorities. The representative needs to maintain records of processing activities and co-operate with a supervisory authority if it raises any issues. Similar obligations to appoint a UK representative apply in respect of EU data controllers without an establishment in the UK, increasing the compliance burden.
If there is any consolation to be drawn regarding the additional compliance requirements it is that, at present, they are similar under both regimes, so compliance with the GDPR should ensure compliance with the UK GDPR and vice versa.
Trade and Cooperation Agreement – a bridging mechanism
The Trade and Cooperation Agreement contains a commitment by both the EU and UK to uphold high standards of data protection. Significantly, it does not deal with the question of whether the UK’s data protection regime is “adequate” (i.e., essentially equivalent level of protection to the EU) so as to permit free movement of data from EEA countries to the UK. It is silent on this matter because an adequacy assessment is a separate process to a trade deal and although the Commission commenced its assessment in 2020 the process is not yet complete.
Ordinarily this would mean that additional safeguards would be required to transfer personal data from EEA countries to the UK. However, the Trade and Cooperation Agreement provides that the UK will not be treated as a third country for GDPR purposes for a ‘specified period’ that began on 1st January 2021 and ends either (1) on the date on which an adequacy decision in relation to the UK is adopted by the European Commission under Article 45(3) of the GDPR, or (2) a period of four months, which can be extended by two months by agreement.
As cross-border personal data flows are essential for several sectors of the UK and EEA economies such as banking, ecommerce, financial services, insurance, legal services, telecoms, travel, and tourism, the continued free flow of data between EEA countries and the UK via the bridging mechanism (also informally known as a privacy brolly) is welcome.
However, the arrangement is conditional on the UK not amending its data protection legislation or exercising “designated powers” relating to international transfers without the EU’s agreement during the ‘specified period.’ There is an exception for UK amendments which are limited to changes to align with rules applicable in the EU. The European Commission has published a draft implementing decision relating to new standard contractual clauses for data transfers. If the EU adopts these new clauses, the exception will allow the UK to adopt the same updated clauses, should it wish to do so. But, if the UK changes its data protection laws (other than to align with updates to EU data protection law), or exercises any of the designated powers without consent, the bridging mechanism and specified period will automatically end.
Whilst the inclusion of an additional transition period in the Trade Agreement provides a degree of certainty and stability for businesses, many would no doubt prefer greater certainty regarding the likely outcome of the adequacy assessment because alternative mechanisms are time consuming to implement – so many will worry that if the Commission determines that the UK does not to provide an adequate level of protection, they will find themselves on a data protection cliff edge in a few months’ time
Adequacy – is a Contingency Plan needed?
Although a Declaration attached to the Trade and Cooperation Agreement records the European Commission’s intention to ‘promptly launch the procedure for the adoption of adequacy decisions with respect to the UK under the General Data Protection Regulation,’ it remains to be seen whether the Commission will find the UK ‘adequate,’ particularly in light of the CJEU judgments in C-623/17 Privacy International and C-511-512/18 La Quadrature du Net (the latter joined with C-520/18 Ordre des barreax francophones et Germanophone), which casts doubt on whether the Investigatory Powers Act 2016 contains substantive limits and sufficient safeguards regarding powers to retain and access to bulk data for national security purposes to be compatible with EU law.
Some commentators have forecast that the UK will secure a finding of adequacy, whilst others have forcefully argued that it should not. In my view it is impossible to predict because adequacy assessments involve not only legal considerations but political and economic considerations too and these factors can seemingly prompt the Commission to make a finding of adequacy when a third country’s legal framework is deficient. One example of this approach was the finding of adequacy by the Commission in respect of the now revoked Privacy Shield adequacy decision. It was subject to yearly review, and these reviews were used to elicit greater compliance with GDPR standards over time. Similarly, the Commission insisted that Japan expand the definition of sensitive data in its data protection law as a precondition for adoption of an adequacy decision by the Commission. Only time will tell whether the Commission is satisfied, after reviewing the UK’s ‘Explanatory framework for adequacy discussions’ that, inter alia there are sufficient limitations and safeguards in the UK Investigatory Powers Act 2016 to make finding of adequacy, or whether it is prepared to make a finding of adequacy conditional on changes being introduced, or whether it determines that the deficiencies are too serious to allow a finding of adequacy at this time. If so, the six month time frame may ‘come and go’ without a decision being made if the deficiencies are considered sufficiently serious – as evidenced by Australia, which had not secured an adequacy decision almost a decade after it applied.
Given the uncertainty, the UK Information Commissioner’s Office (the “ICO”) has correctly adopted a pragmatic approach. In a statement published on 28th December 2020 it welcomed the data protection provisions of the Trade Agreement but also advised ‘as a sensible precaution’ that UK businesses work with EU and EEA organisations who transfer personal data to them, to ‘put in place’ alternative transfer mechanisms such as such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules or be prepared to rely on derogations to facilitate EEA-UK personal data transfers. Whilst BCRs and SCCs would be the most suitable alternative mechanisms for many organisations it must be noted that they are burdensome, complex and costly to implement – EFPB Guidance requires companies to, in effect, conduct “mini adequacy assessments” of countries to which data is transferred, using the same criteria as the European Commission when assessing adequacy, and they are potentially open to legal challenge following Schrems II. However, many small and medium sized businesses will not be able to afford take such steps, whilst larger businesses that can afford them would no doubt resent the expenditure if they later proved unnecessary. Therefore, although the advice is prudent it not likely to be followed by many.
Transfers from the UK to third countries
As for UK to third country transfers, the UK has transitionally recognised all EEA countries, EU institutions and bodies as providing an adequate level of protection. Gibraltar is recognised as offering an adequate level of protection, no doubt because it is a British overseas territory. It has also transitionally recognised the 12 countries that have received EU adequacy decisions, namely: Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, Isle of Man, Japan (private-sector organisations), New Zealand, Switzerland and Uruguay as providing an adequate level of protection. This will ensure transfers from the UK to these 42 countries can continue in the short-term without additional regulatory checks or safeguards, whereas appropriate safeguards will be needed in respect of transfers to all other third countries.
Going forward, the UK Secretary of State for Digital, Culture, Media and Sport will maintain a list of countries, territories and organisations it has deemed adequate, and will have the power (via negative resolution with no input from the ICO) to revoke existing adequacy decisions and to conduct its own adequacy assessments.
The position regarding transfers of personal data from the UK to the US is, however, more complicated and uncertain following the invalidation by the ECJ in Schrems II of the adequacy decision known as Privacy Shield pertaining to EU-US personal data transfers.
Prior to the Schrems II decision the UK government intended to utilise a modified Privacy Shield arrangement, i.e., one specific to UK-US transfers to facilitate transfers. Whilst the UK government now has the autonomy implement such a transfer mechanism it is unlikely to exercise that power immediately because it would likely trigger the end of the bridging mechanism during the specified period. Moreover, the Commission will review onward transfer arrangements as part of its adequacy assessment, and it would no doubt have concerns about onward transfers of EU citizens’ data from the UK to the US via a mechanism similar to one that has been declared invalid by the CJEU. Accordingly, businesses are advised to continue to use Standard Contractual Clauses bolstered by appropriate supplementary contractual, organizational, and technical measures, as advised by the EDPB, to facilitate transfers to the US.
Main establishments and the ‘One Stop Shop’ principle
Under the GDPR, EEA-based organisations which carry out processing in more than one EEA country only need to deal with a single regulatory authority as their lead supervisory authority. This is known as the ‘One Stop Shop’ principle. It means that, for example, that a single fine would be imposed by one EEA authority as a result of an infringement that occurred a number of EEA countries.
However, organisations with a main establishment in the UK and no establishments in the EEA cannot rely upon the GDPR ‘One Stop Shop’ principle. Yet, as the GDPR has extra-territorial effect in certain circumstances, they may have to deal with the supervisory authorities in all EEA states where data subjects are located, and whose personal data they process. This requirement is prompting organisations with a main establishment in the UK and establishments in the EEA to consider appointing one of their EEA establishments to take advantage of the GDPR ‘One Stop Shop’ and avoid being at risk of regulatory action from multiple EEA regulators. Even so, where cross-border processing involves the EEA and the UK, they will still be subject to the ICO’s jurisdiction, as well as the lead EEA regulator.
In effect, the compliance burden for some data controllers has increased because a data breach that has a multi-country dimension could require notification of both the ICO and at least one EU supervisory authority of the breach, and each supervisory authority could investigate and impose sanctions e.g., fines. This change has already prompted some US-owned companies such as Facebook and Google to transfer all their UK users into user agreements with the corporate headquarters in California, moving them out of out of the control of European Union data protection regulators (rather than face potential legal action in both the EU and UK).
The UK and EU have entered a new phase of ‘looser’ trade relations, but in data protection terms, they remain inextricably linked because of extra-territoriality provisions in both the GDPR and UK GDPR, which have the effect of increasing compliance burdens for businesses operating in both jurisdictions. Whether personal data transfers between the EEA and UK will ‘flow freely’, if a finding of adequacy is made, or be subject to more costly and complex administrative burdens remains unknown, pending the outcome of the Commission’s adequacy assessment. If the Commission determines that provisions in UK national security laws are an impediment to a finding of adequacy the UK government will have to decide whether to ‘forgo’ some sovereignty in ‘watering down’ its national surveillance laws, in order to protect its economic interests, or not. In short, Brexit is not ‘done’ for data protection purposes, and arguably never will be for so long as the GDPR and UK GDPR contain extra-territorial provisions and adequacy review processes!
Dr Karen Mc Cullagh is Lecturer in Law, University of East Anglia, firstname.lastname@example.org