Brexit has raised many questions regarding the future of data protection and digital trade. Whilst the UK’s incorporation of the General Data Protection Regulation (GDPR) into domestic law in January 2020 eased some uncertainty, questions remained open, in particular the status of data transfers from the European Economic Area (EEA) to the UK. Given the importance of digital trade to the economic future of both the EU and the UK, it was crucial that the Trade and Cooperation Agreement (TCA), signed on December 24, 2020, would facilitate frictionless digital trade post-Brexit. As detailed below, the TCA reached a positive, pro-business position on data protection and digital trade that should be welcomed by organisations navigating the new relationship between the UK and EU in these important areas.
- In a draft decision of the European Commission (EC), the UK has been deemed to provide an adequate level of data protection. Once this draft decision is approved, data transfers from the EEA to the UK can continue as before for at least four years. Until approval of the decision (or, if no approval, through 30 June 2021), data transfers from the EEA to the UK can continue without restriction. It is unclear how long approval will take.
- Organisations should be aware that the TCA does not change their obligations to (1) appoint a representative in the EU or UK, if they do not have a company established in either jurisdiction; and (2) update their privacy notices to reflect the reality of current data transfers.
- With respect to digital trade, the message is business as usual. What will therefore shape the future of digital trade between the EU and UK will be their respective approach to the regulation of digital trade and whether the parties diverge or coalesce on regulatory reform.
Data Protection: Certainty, for Now
The TCA provides a welcome, temporary solution to the issue of data transfers from the EEA to the UK. Absent the TCA, beginning January 1, 2021, the UK would have been considered a third country for the purposes of data transfers from the EEA to the UK. All organisations would have therefore been required to implement a valid data transfer mechanism to legitimize such transfers under the GDPR, such as the EC’s Standard Contractual Clauses. Organisations would also have had to undertake transfer impact assessments to determine whether the UK provides "essentially equivalent" protection of personal data to that guaranteed under EU law and, if not, would have had to implement supplementary technical, contractual and/or organizational measures to safeguard their data transfers. Such obligations can be onerous, even for the most well-resourced business.
Organisations will therefore be reassured that the TCA provides a "specified period" during which transfers of personal data from the EEA to the UK will not be considered transfers to a third country. This specified period will continue until the earlier of (1) a maximum of six months from the date the TCA entered into force or (2) the date on which the EC adopts an adequacy decision regarding whether the UK maintains an adequate level of data protection. This arrangement is further contingent on the UK not changing its data protection framework, unless otherwise agreed to by the EU.
On February 19, 2021, the EC published its draft adequacy decision on the UK, finding that the UK does ensure an essentially equivalent level of protection to that which is guaranteed under the GDPR. Whilst this will be welcome news for many organisations, the story is not over yet. Before the decision is formally adopted, the European Data Protection Board (EDPB) will issue a nonbinding opinion on the EC’s draft decision. Whilst the EDPB may not reverse the EC’s conclusion, the EC must take the EDPB’s opinion into account. Only then may the EC seek the approval of member states, and it is unclear how long this process will take. Should approval not be obtained prior to the expiry of the specified period, organisations will be required to implement a valid data transfer mechanism to legitimize data transfers from the EEA to the UK. Organisations should therefore watch this space closely and carefully consider their data flows over the coming months, in anticipation of the specified period expiring before approval of the EC’s decision. It is also worth remembering that any decision, once approved, will be valid for four years. Whilst an adequacy decision in this instance was expected, any divergence in the UK’s data protection landscape in the coming years could lead to a less favorable outcome.
Data transfers from the UK to the EEA are more straightforward. Whilst the TCA does not address such transfers, Schedule 21 of the UK's Data Protection Act 2018 recognises the EEA as adequate unless and until the UK performs an adequacy assessment. Data transfers from the UK to the EEA can therefore continue without further restrictions unless a decision to the contrary is reached, with the UK government indicating only that this is “under review.”
Looking to the future of the UK and the EU’s relationship with respect to data protection, the TCA requires collaboration on data protection matters through dialogue, the exchange of expertise and cooperation on data protection-related enforcement. Therefore, whilst the UK Information Commissioner’s Office (ICO) will no longer have voting rights on the EDPB, the TCA opens the door for a deeper relationship among the ICO, the EDPB and any EEA supervisory authorities.
Organisations should be aware that the TCA does not change their obligations to: (1) appoint a representative in the EU or UK if they do not have a company established in either jurisdiction; and (2) update their privacy notices to reflect the reality of current data transfers.
Digital Trade: A Positive Result for Business
As a testament to both the importance of digital trade and the ability for the EU and UK to reach an agreement (unlike in other key areas such as financial services), the TCA contains an entire chapter dedicated to the UK and EU’s relationship with respect to trade conducted via electronic means.
Organisations can applaud the TCA for prohibiting data localization, meaning that neither the EU nor the UK can require or prohibit the storage or processing of data in a particular jurisdiction, subject to limited exceptions, e.g., on the grounds of security interests. The rejection of this burdensome practice is good news for business and the free flow of data.
A commitment to maintaining the status quo with respect to digital trade is also evidenced by (1) a prohibition of customs duties on electronic transmissions; (2) a requirement that services can be provided electronically by default, i.e., a prohibition on prior authorisation; and (3) a requirement to recognize contracts concluded electronically, such as via electronic signatures.
Unimpeded digital trade also relies on commitments of the parties in the regulatory sphere. The TCA requires that the EU and UK continue to prohibit unsolicited direct marketing communications (i.e., marketing campaigns that users have not opted in to receive) and adopt or maintain measures to protect consumers engaging in digital transactions. This will mean that whilst the UK can develop its own approach to the regulation of digital trade, existing UK laws providing for a minimum level of consumer protection must be maintained.
The chapter on digital trade also imposes a positive obligation on the UK and EU to cooperate on the regulation of digital trade (including consumer protection) and the development of emerging technologies. The Partnership Council (newly formed under the TCA) may be the right forum for this cooperation, and whilst it is currently unclear how it will operate in practice, at least there is the potential scope for cross-fertilization of ideas and integration between the UK and EU regulatory bodies in the years to come.
Trainee solicitor Angus Goalen contributed to this article.