What will a Brexit deal mean for me on personal data and GDPR?
There’s a short and a long answer to this. So, starting with the short answer. For four months, it doesn’t make much difference but don’t be complacent. The agreement is that essentially, we continue as we are for four months with an optional extra two months. This gives the EU up to six months to make an ‘adequacy’ decision which could then allow us to exchange personal data with the EU.
This though is where you need the longer answer. What is this ‘adequacy’ decision? And what should I do?
Current UK personal data legislation is based on the EU’s General Data Protection Regulation which sets standards of data protection and privacy which the UK Government in effect Brexit-proofed through the Data Protection Act 2018 in the UK. This in effect implemented it post the exit transition period into UK law, becoming the ‘UK GDPR’.
However, the EU’s GDPR regime distinguishes between EU members and ‘third countries’, setting a series of hurdles for EU personal data to be ‘exported’ out of the EU to third countries.
So, from 1 January 2021, with the end of the Brexit transition period for the UK, the UK will become one of these ‘third countries’. This means that in order for personal data to be transferred from the EU to the UK, there needs to be ‘adequacy’ compared to EU standards for the transfer of the data. In effect this can either be via meeting one of the GDPR requirements, such as using Standard Contractual Clauses or Binding Corporate Rules, or through the EU confirming ‘adequacy status’ for the UK – this would allow EU/UK businesses and organisations to continue to exchange data freely as they had done pre-Brexit.
The Brexit deal, or more correctly the EU-UK Trade and Cooperation Agreement, did not grant this adequacy status itself. What it did do is to create a further transition period of four months in which the UK would not be treated as a third country for EU to UK transfers of personal data, mutually extendable by a further two months, thereby giving the European Commission up to six months in which to agree and adopt an adequacy decision. In the meantime, the period can be shortened if an adequacy decision is reached sooner and a framework is in place should the UK make changes to its data protection arrangements.
In the meantime, the UK Government has already decided that the EU and UK GDPRs are comparable and represent ‘adequate provisions’ for data flow from the UK to the EU.
So, should I worry? On the one hand, the UK GDPR being an implementation in effect of the EU’s GDPR, an adequacy decision should not be that difficult. However, it would be prudent not to assume one and on time. Especially as it requires a proposal from the European Commission, an opinion from the European Data Protection Board, approval by the representatives of EU countries and the adoption of the decision by the European Commission.
So now could be a good time to review what you have in your contracts on data transfers and ‘third countries’ such as the US. Just in case the UK does become a ‘third country’ for data transfer purposes. This is really about what gateways you have and whether, for example, you have the ‘Standard Contractual Clauses’ in place. These are contractual clauses adopted by the European Commission which in effect create a gateway for passing by data by creating contractual obligations on the data exporter and importer which can be directly enforced by individuals. These have recently been revised and the new ones are expected to be adopted by the European Commission in early 2021. Users then have twelve months to change their contracts.
But it’s also a good idea to review because, judging by the contracts and privacy policies we have reviewed, a significant number of businesses and organizations have been relying for transfers to the US on the US-EU Privacy Shield and have not taken account of its having been found not to be valid by the European Court of Justice in July 2020. This should have led many people to reviewing their use of it and relying instead on other means such as the Standard Contractual Clauses. Again, judging by what we have seen, there is a significant risk that organisations have not done this.
So our recommendation would be to use this as a prompt to review what you have in place. Six months is not long.