Some Breathing Space for GDPR in the Brexit Trade Agreement: The Good, The Bad and the Ugly.
A non-deal Brexit is prevented and both sides are presenting this as a victory and a fine achievement of their goals. Time will tell how it will work out in practice.
First analysis by specialists, politicians and representatives of industry give a fair workable set of rules, although many claim more needs to be done to safeguard their interests and to compensate for disadvantages that arise.
Whether you are happy or not with the Brexit and the Brexit deal, we have to work with it from now on.
In addition to many other matters, the 1250-page Brexit agreement also regulates data protection – at least for a certain period of time. The regulation can be found in the chapter “Article FINPROV.10A: Interim provision for transfers of personal data to the United Kingdom” starting on page 427.
It has been agreed that the United Kingdom will not be regarded as a third country by the EU for an initial period of four months.
It is even envisaged that this period will be automatically extended by two months.
This means that data transfer would be possible unchanged until at least April 30, 2021, perhaps even until June 30, 2021 under unchanged conditions. See also the ICO statement about this.
Both parties can object to the automatic renewal. It is therefore quite possible that the UK will become a third country relatively quickly. And so there are additional barriers to transferring personal data to the UK. In particular, the already known data protection guarantees would also be necessary.
The whole thing is not a permanent solution. Theoretically, there is a possibility that the European Commission will take an adequacy decision in time. Then the UK would remain a third country, but this would be “secure” from a data protection point of view. However, the question is whether this will happen in the short term. In addition, security authorities in the UK have just as far-reaching powers as is the case in the US, for example. The consequences are known – we remember the imploded safe haven, the ineffective EU-US Privacy Shield and last but not least the secondary rulings in the Schrems II ruling of the EU Court of Justice. With similar surveillance laws in the UK as in the US, an adequacy decision may be difficult or even undesired by the EU.
Unfortunately, there are still many uncertainties in general. In our opinion, the transition period for the Brexit deal is nothing more than a postponement. We feel it is just as unlikely that the UK will continue to adhere to a data protection law that is in line with the ideas of the EU, perceived as, at least, patronizing.
Lack of an adequacy decision could mean the need for Standard Contractual Clauses between UK data controllers and EU data processors, a new set of contracts to be negotiated between you and your EU partners.
Outlook for companies
It turns out that the Brexit agreement only effects the EU to UK dataflows. It does not affect any other aspects of the extra-territorial reach of GDPR.
Companies should therefore take the opportunity to evaluate their current privacy provisions and ensure in a timely manner that additional data protection guarantees are in place that are de facto enforceable.
In the light of the outcome of this Brexit agreement this means:
- You don’t need to worry about having Standard Contractual Clauses in place until a decision is made about UK adequacy (or by the end of April/June).
- You do still need to put in place an EU Representative if you are selling products and services to EU citizens AND don’t have an establishment in the EU. See also ICO guidance.
- You do still need to worry about the loss of the one-stop-shop approach to the appropriate authority. UK businesses that process data of EU citizens are likely to be answerable to ICO and other EU equivalents (i.e. the loss of the so called “one stop shop”). For example data breaches where EU citizens are involved should be reported to the Privacy Authority in the appropriate EU country. An EU GDPR representative is a good support for this.
- You do still need to evaluate and adjust the privacy notice on your website. A analysis of your cookie statement is a a strong pre-requisite.
So, it would seem that the ICO’s statement on 28th December, which included the sentence “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices” isn’t as broad as we first thought!
For the sake of completeness, it should be noted that the “agreement” still needs to be approved by the different parliaments to be effective.
Please feel free to contact us to discuss the requirements and possibilities. You can reach us on +31 (0)88 8483 100 or firstname.lastname@example.org. Your first consultation is free of charge.
Check https://vivenics.com/general-data-protection-regulation/ for our GDPR services.