Last Updated on Friday, 15 January, 2021 at 11:55 am by Andre Camilleri
Dr Terence Cassar is a Senior Associate at GTG Advocates.
Finally, the EU and the UK have agreed on the Brexit Trade and Cooperation Agreement (Agreement), namely the Agreement which establishes the terms of trade between the EU and the UK
Unfortunately, when it comes to the Agreement’s effects on personal data regulation, the terms of the Agreement can at best be described as being no more than just a gap-stop solution.
The Interim Solution
Under the Agreement, the EU and the UK commit to ensuring a high level of data protection and both recognise that individuals have a right to privacy and that high standards in this regard contribute to trust in the digital economy and the development of trade. So far so good. However, the Agreement does not deal with the “elephant in the room”, namely the key consideration of whether the EU Commission (EC) deems the UK’s data protection legislation as “adequate”, namely, as substantially equivalent to EU laws. This would in turn permit the continued free flow of personal data from the EU to the UK without any additional formality.
In principle as of 1 January, given that UK will no longer remain a Union member, personal data transfers from the EU/EEA to the UK are to be treated as transfers to a third country. Furthermore, as the UK has not yet been bestowed an “adequacy decision”, the GDPR would require such transfers to be lawfully made based on alternative solutions, either using “appropriate safeguards” or based on a derogation to transfer restrictions.
Thankfully however, the EU data exporters will not need to rush into implementing such solutions as the Agreement provides for what is effectively a gap-stop solution, in that it postpones the requirement of treating transfers from the EU to the UK as third country data transfers. This postponement will last until an adequacy decision is granted by the Commission or until 1 May (whichever is earlier). If by then no adequacy decision has been obtained, then there will be a further extension applicable until 1 July (unless either party objects).
Such interim solution is subject to the condition that the UK does not amend its current data protection laws and that the UK does not exercise so called “designated powers” during this period. Designated powers include the UK’s power to issue its own adequacy decisions, to issue standard contractual clauses (SCCs) and to approve new codes of conduct, certification mechanisms and binding corporate rules.
If the UK does want to make any legislative change, approval of the Brexit Partnership Council is required, except for amendments which are limited in scope to aligning UK’s laws with EU laws as these do not require such approval.
Other key provisions
Technically, the Agreement sets out that cross-border data flows shall not be restricted between the parties through “data localisation” requirements or prohibitions. However, the Agreement also provides that “Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred”.
Effectively, this means that restrictions on personal data transfers are possible, insofar as they are not absolute and that the parties treat each other in the same way as they treat any other country.
Furthermore, the Agreement’s provisions on unsolicited direct marketing communications should be particularly taken note of.
Each party to the Agreement commits to protecting users against unsolicited direct marketing communications and to ensure that such communications are not sent to users unless they have given their consent. Notwithstanding this, each party shall allow any person who may have lawfully collected the contact details of a user in the context of the supply of goods/services thereto, to send such marketing communications to that user for their own similar goods/services.
Clarity on upcoming data protection regulation and data flows between the EU and the UK remains elusive particularly as it appears very evident that the Agreement’s temporary solution is only meant to allow enough time for the EU and UK to respectively consider and possibly adopt adequacy decisions.
Critically, an upcoming adequacy decision is by no means a certainty for the UK. The CJEU’s earlier Schrems II judgement should be considered in this regard, which had essentially invalidated the EU-US Privacy Shield in view of the USA’s security-related legislation and ruled against the use of the current SCCs by Facebook and similar companies.
Undoubtedly, the UK’s data processing laws especially regarding national security and bulk data transmission, will cast a doubt on the UK’s chances of obtaining an adequacy decision from the EC, given the considerations made by the CJEU when invalidating the EU-US Privacy Shield in Schrems II on US laws, which considerations seem also somewhat similar/applicable to the UK’s laws. Possibly, even if an adequacy decision is indeed granted, complete certainty will only be achieved once the decision is tested before the CJEU given the precedent established by the CJEU in Schrems II.
On the other hand, with respect to data flows from the UK to the EU, the UK had already announced that it will, at least in the beginning, consider EU/EEA countries as adequate for the purpose of UK to EU/EEA transfers.