The UK and EU have reached a trade deal. With 5 days before it comes into force, there’s barely enough time for the politicians to ratify it, let alone analyse all 1,256 pages. As if the politicians would be the ones poring over the detail: that will fall to the economists, analysts and, of course, the lawyers. The purpose of this post is not to assess the deal, just the data provisions. The agreement is here (PDF) if you fancy some light reading.
One thing is clear: data transfers will continue freely as at present between the UK and the EEA for up to 6 months. This should allow sufficient time for the EU Commission to confirm the UK’s data protection laws adequately comply with GDPR standards. In theory, this should be a rubber-stamping exercise of UK laws. The only fly in the ointment is likely to be the UK’s extensive snooping laws. Similar laws in the USA scuppered the Safe Harbour and its successor, Privacy Shield. We might see a couple of years of activity where an adequacy decision is issued by one EU institution (the Commission) followed by another one (ECJ) cancelling it. Max Schrems probably has his hands full already but there are no shortage of data protection activists.
Whatever happens, businesses have a grace period. They don’t need to rush out and enter into data transfer agreements adopting the EU Commission’s model clauses to allow data transfers to continue. Better late than never but this should come as a great relief to many businesses. Assuming the EU Commission issues an adequacy decision before the end of June 2021, this situation will continue, preserving data flows for longer.
Of course, there is still the possibility that the ECJ and the UK Supreme Court will rule differently on the same point of law. Judges are less prone to the histrionics or whimsies of politicians, but never say never. That scenario could lead to further tensions and, ultimately, affect data flows.
This trade deal is not the beginning of the end; it is the end of the beginning. The next few years will see some interesting developments. But at least we have certainty in the immediate term.
If you need advice, contact me email@example.com or +44 (0) 20 7611 2338.
Don’t you think there’s a more serious risk that the Commission won’t grant adequacy – because of the July Schrems judgment and the October ECJ ruling against limitless data collection? Otherwise the US would surely have grounds to challenge the abrogation of PrivacyShield. Granted UK DP law is presently a cut and paste of the GDPR, obviously, but we’ve also seen strong criticism of the ICO’s independence from some European quarters – even if we assume the Dutch have been placated by the withdrawal of UK access to the Schengen database. The trouble with not “rushing” to implement SCCs is that if adequacy is not granted there will be significant political pressure on EU DPAs to do something about it – compare the responses of the German DPAs (notably Berlin) following Schrems II as opposed to Schrems I. I think there’s still material risk for data-intensive businesses in assuming that we’ll have BAU for data flows. I also suspect that the extended adequacy transition is to provide a background for ongoing negotiations regarding financial services market access – you can’t help feeling that it’s been done in part to give the EU another lever to pull. If the UK doesn’t give enough ground on FS – presumably in regulatory alignment and staged transfer of e.g. euro clearing to EU entities – then the Commission might come under pressure further to delay a grant of adequacy, to add material conditions to it or not to grant it at all.
Indeed. No harm in adopting the SCCs – this deal gives businesses a bit more time to assess their options.
[…] can continue to transfer personal data freely between the UK and EU. This is because, under the Brexit deal reached at the last minute the UK has promised to mirror EU law – so-called “UK GDPR”. Following this the EU Commission has declared the […]