Brexit Transition Period
On the 24th December, the UK government and the EU provisionally agreed to the negotiated terms of The Draft EU-UK Trade and Cooperation Agreement, avoiding the risks of a no-deal Brexit scenario (still pending ratification by the EU).
However, the draft agreement now provides for a further extended transition period of 6 months, during which time the UK will still be essentially classed as an EU Member State for the purposes of data processing.
What happens now?
Although the EU GDPR no longer applies to the UK, the GDPR has already passed into UK law in the Data Protection Act 2018 (now known as the UK GDPR) and so most obligations simply continue as normal.
We had expected a possible important change at the end of 2020 — that the UK would become a ‘third country’, meaning that the rules for transferring personal data between the EU and UK might be subject to change.
However, the new announcement means that this possible change has been postponed until June 2021. This means that currently all data transfers can continue as normal.
The adequacy decision
The UK has already decided that transfers of personal data from the UK to the EU are to be treated like transfers within the UK.
The EU will now decide whether or not to grant adequacy status to the UK. This decision was not part of the Brexit deal and the EU Commission will now be working on this, hopefully with an answer before June 2021.
On the surface it seems likely that the UK will receive adequacy status since it has already adopted the GDPR in full, and not granting adequacy to a departing member state would set the bar for adequacy very high. However, this is not a certainty. The UK government has previously flirted with the idea of regulatory diversion with regards to data protection, which may make adequacy more difficult to achieve. However, this seems less likely now, given that the architects of this type of UK-EU de-harmonization strategy have recently been purged from government. The Biden victory in the US presidential elections will also contribute to the UK government turning back towards EU alignment since a UK-US trade deal based on deregulation under a Trump presidency is now less likely.
The EU Commission will also have to consider the implications of the Schrems II judgement of course, and there is a possibility that any adequacy decision is soon tested in the CJEU much like the Privacy Shield. The Schrems II judgement in part highlighted the importance of the implementation and practice of local laws with regards especially to the extent to which third country governments are able to exercise state surveillance powers to oblige companies to turn over personal data. The EU Commission will have to now consider whether the UK, as a third-country, has state powers that might infringe on the data rights of EU citizens, and it will be interesting to see how this decision plays out in the coming months.
To borrow a famous phrase from the deep lexicon of Brexit, ‘nothing has changed’. Currently, until at least June 2021, data flows between the UK and EU can continue as normal.
However businesses should continue to prepare for the end of the extended transition period, ensuring that contingency plans are in place in the albeit somewhat unlikely event that the UK is deemed an inadequate third country.
If this scenario does transpire, businesses will need to ensure that flows of data from the EU into the UK are governed and managed appropriately, with SCCs, due diligence activities and transfer impact assessments completed and in place with any UK based suppliers who process personal data of EU citizens.
Businesses can ensure they are ready to roll out these changes if necessary, by getting prepared now. Although contractual and other changes cannot easily be made ahead of the adequacy decision, organizations should ensure that they have a solid understanding of exactly how data currently flows between EU and UK entities. This should be documented in a ROPA or similar asset, which will make the management of any necessary compliancy changes simpler, should the need arise.
We will of course keep you updated with developments in this area.
If you found this piece valuable, please give us a few hearty claps and follow us for ongoing updates. We also welcome discussion — please leave your comments and feedback in a response below!
The Lucid Privacy Group actively manages privacy strategy and operations and serves as DPO for startups and rapidly scaling technology companies. We come at the issues with a pro-privacy, product and technology orientation, and can translate arcane legalese into real world, pragmatic terms. Drop us a line at email@example.com or visit us on the web or Twitter.