Data Transfers: Is the free flow of data from EEA to UK about to end?
Until 31 December, data can flow freely between the European Economic Area (EEA) and the UK. But will this be the case on 1 January 2021, when the Brexit transition period finally ends?
It’s looking unlikely.
As the months remaining become weeks, pessimism reigns. In a poll of a 170-strong audience at our recent Privacy Question Time event, people were split on whether a UK adequacy decision will be granted.
Do you think the UK will be granted adequacy status by the EC?
Far from an exact science, but an interesting snapshot of opinion.
What is ‘adequacy’?
Outside the European Union, the UK becomes what is termed a ‘third country’. Unless an adequacy decision is granted by the European Commission (EC), data transfers from the European Economic Area (EEA) to the UK will become subject to restrictions at the end of the transition period.
Adequacy is granted to non-EEA countries which are carefully assessed and judged to provide an ‘adequate’ level of data protection and guarantee a level of protection fundamentally equal to the protections ensured by the EU.
Countries which enjoy adequacy include New Zealand, Argentina, Israel and most recently Japan.
Why does adequacy matter?
International data transfers are more complex when subjected to restrictions. Organisations need to implement additional safeguards to protect personal data when it’s transferred from the EEA to another organisation, be it a controller or processor, based in a non-adequate country.
Organisations must use a valid transfer mechanism, one of the most commonly used are EU Standard Contractual Clauses (SCCs) – also known as model clauses. To further complicate matters the unilateral use of SCCs was thrown into turmoil by the CJEU’s Schrems II Ruling in July this year.
What about UK GDPR?
In its Brexit guidance, the UK Information Commissioner’s Office clear states;
“The UK is committed to maintaining the high standards of the GDPR (General Data Protection Regulation) and the government plans to incorporate it into UK law at the end of the transition period.”
So, if the UK is sticking with GDPR, why is there a problem? It’s a reasonable question to ask.
Surely this means the UK has a similar, if not identical, data protection regime and the EC should automatically grant adequacy.
If only it were that simple… like fishing rights or level playing field provisions!
There’s also talk that if there’s no deal, the UK could diverge on data protection.
Adequacy – what are the hurdles?
There are core concerns which mean the EC might not make an adequacy decision by 31 December, or indeed in the near future thereafter. These concerns largely focus on two areas;
- It’s part of the bigger negotiation process. A ‘no deal’ would mean no agreement on many issues, including data protection
- There are concerns the UK’s Investigatory Powers Act 2016; UK surveillance law is incompatible with EU law.
A ruling in October by the Court of Justice of the European Union (CJEU) poured more doubt on the likelihood of an adequacy decision. The ruling found UK law permitting intelligence agencies to collect bulk communications data is incompatible with EU law.
Essentially the CJEU has found UK surveillance practices suffer from similar incompatibilities with EU law identified with the US surveillance practices, which brought down the US Privacy Shield in the Schrems II ruling.
Simone Vernikov, Privacy Legal Counsel at One Trust points out the UK is now under a level of scrutiny, that its European counterparts have not be subjected to.
“There is a bit of a contradiction here as surveillance laws within European countries have been far less scrutinised than those outside the EU. It is weird that a country like the UK that has implemented GDPR would not be deemed adequate.
We will have to see what happens, there are those that see UK potentially becoming a ‘data haven’, which is certainly something the EU would want to avoid. If the free flow of data does not continue, I believe this will be economically devastating for the UK.”
Privacy and Data Protection Officer at Direct Line Group, Chris Whitewood echoes these concerns and is not optimistic about an adequacy decision.
“There’s a mutual self-interest to get data flows continuing. On the one hand there’s the trade deal and on the other there’s the Investigatory Powers Act, and the recent ruling from the ECJ has thrown a spanner in the works. The UK surveillance regime has always been questioned by Europe, this is nothing new and an area the UK has sought to reassure its European counterparts. Other states, such as France, Germany and Italy have extensive surveillance regimes too.”
The UK and EU are essentially regime mirrors, so it’s difficult to say now we are not adequate. I think the politics will be the biggest factor here and how nasty it gets. There will be a push to get adequacy, but I am not hopeful.”
I would agree. Any decision on adequacy is highly political, and a bargaining chip in the wider EU trade deal. For example, EU countries which are scrutinised for their record on Human Rights (such as Hungary) are not subject to scrutiny regarding data protection. Other non-EU countries enjoying adequacy may also be considered to have lesser protections than those of the UK.
What should Business do now?
The best advice is do not ignore this issue. Take measures to prepare your business for a No Adequacy decision. Robert Bond, Legal Counsel at Bristows LLP, advises making sure you have data transfer solutions in place;
“It is difficult to predict whether or not UK will get an adequacy ruling prior to Brexit, but what is predictable is that the UK will no longer be an EU member state and will be an importer of personal data when it is received from the EEA or indeed other countries that are already deemed adequate by the EU.
It is important for UK controllers and processors to have in place data transfer solutions for import of personal data from the EEA and other jurisdictions with restrictions on international data transfers as much as it is for the export from the UK of personal data to other jurisdictions.”
Debbie Evans, Group Data Protection Officer at Rentokil Initial has taken a pragmatic approach;
“To accommodate for the worst case – i.e. that we won’t have adequacy by 1st January 2021, we’ve put EU Standard Model clauses in where we can.”
Following the Schrems II ruling, the European Data Protection Board (EDPB) has recently published recommendations for international transfers.
The European Commission has also published long-awaited proposed replacement Standard Contractual Clauses, This is open for feedback until 10 December 2020 and it’s anticipated organisations will have one year to adopt revised SCCs.
The task facing data protection and compliance teams will depend on the complexity of international transfers conducted. We can only hope regulators across Europe and UK will appreciate the monumental challenge recent rulings and Brexit uncertainty represent for business – and the reciprocal impact on all of our economies.
Philippa Donn, November 2020
DPN can help you navigate these stormy waters
Do you have the resources and specialist skills in-house to ensure your data transfers comply with these recommendations? If you’d like some help contact us. We help many organisations with pragmatic no-nonsense solutions to their data protection challenges. Let us help you too!
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.