UK-EU Trade Agreement: Five Key Practical Implications for Data Privacy in Your Business
The new EU-UK Trade and Cooperation Agreement (the “Trade Agreement”)1 came into effect on 1 January 2021. There are now two versions of the GDPR: the existing EU regime (the “EU GDPR”) and the new ‘UK GDPR’ which applies an equivalent regime to the UK.
The Trade Agreement provides for a ‘bridging period’ of up to six months during which data transfers from the EU to the UK can continue as though the UK were an EU member state.
There is hope for an EU adequacy decision which will allow for free flow of data to the EU on a longer-term basis but it is not certain when that decision will be granted (if at all).
Businesses relying on regular data transfers from the EU to the UK in the longer term would be prudent to put in place fall-back measures to safeguard against interruptions to data flow if there is no adequacy decision before the end of the ‘bridging period’. While there appears political will on both sides for adequacy to be achieved before the end of the ‘bridging period’, it is not guaranteed.
A critical overarching point is that businesses need to understand whether they are subject to the EU GDPR, the UK GDPR or both in order to comply properly with their data protection obligations under the parallel regimes. Both have extra-territorial effect which makes this particularly important.
Key Takeaways
- As presently advised, data transfers from the UK to the EU will remain unaffected even after the ‘bridging period’ although the UK government has said this remains under review. Data transfers from the EU to the UK will require additional safeguards if an EU adequacy decision is not received before the end of the ‘bridging period’.
- Organisations may have to appoint a new data protection representative in the UK or the EU where they do not have establishments in both.
- Privacy notices, internal policies, contracts and other documents may need to be updated to reflect the applicable regime(s).
- Organisations may need to change the bases they rely on to process data lawfully. The “legal obligations” basis will no longer allow reliance on UK law for the EU GDPR or EU law for the UK GDPR.
- Corporate groups relying on ‘Binding Corporate Rules’ for intra-group transfers to territories outside the EU/UK may need to have those rules validated by the UK Information Commissioner’s Office or an EU supervisory authority where they weren’t previously.
Transferring personal data from the EU to the UK
The EU GDPR prohibits the transfer of personal data to a third country outside the EU unless: (a) the European Commission has determined that the country to which the personal data is being transferred “ensures an adequate level of protection” (an “adequacy decision”), (b) prescribed ‘appropriate safeguards’ have been put in place (such as Standard Contractual Clauses and Binding Corporate Rules), or (c) an exemption applies (such as where the data subject has provided a valid consent to the transfer). Whilst the UK will now be a ‘third country’, the EU GDPR restrictions on transfers will not apply during the ‘bridging period’.
The European Commission has described the six-month transition period as a ‘bridging mechanism’ to allow an EU adequacy decision to be finalised and adopted.2 If an adequacy decision is made, there will be no need for businesses to have ‘appropriate safeguards’ (such as Standard Contractual Clauses) in place to legitimise flows of personal data from the EU to the UK.
Transferring personal data from the UK to the EU
No steps need to be taken by businesses transferring data out of the UK to the EU. The UK GDPR restricts the transfer of personal data in the same way as the EU GDPR. However, the UK has already provided that EU member states will be treated as ‘adequate’ for the purposes of the UK GDPR3, so additional safeguards are not needed.
Local representatives in the EU and the UK
In certain circumstances the EU GDPR applies to businesses that do not have an establishment in the EU (for example, because goods or services are offered to individuals in the EU). If this is the case, it is generally necessary to appoint a representative in the EU to act as a point of contact for EU regulators and EU data subjects. Where businesses no longer have an establishment in the EU (now that the UK has left), but are still subject to the EU GDPR they may need to appoint an EU representative (if they have not done so already). Similarly, businesses that are subject to the UK GDPR but do not have an establishment in the UK will generally need to have a designated representative in the UK (a representative or establishment in the EU will no longer suffice).
Relying on legal obligations as a lawful basis for processing
All processing of personal data must be covered by a ‘lawful basis’. One such basis is ‘compliance with a legal obligation’. As of 1 January 2021, a legal obligation under UK law no longer constitutes a valid lawful basis for processing under the EU GDPR. Similarly, an obligation under EU or EU member state law does not constitute a ‘lawful basis’ under the UK GDPR. Businesses will need to rely on an alternative lawful basis (often ‘legitimate interests’) and update their documentation accordingly (for example, privacy notices will need to be amended to reflect changes to the applicable lawful basis).
Updating documentation
Many businesses will now be subject to the new UK GDPR regime in addition to (or instead of) the EU GDPR regime. Privacy notices, data processing clauses and internal policies should reflect this and be updated. For example:
- Data breach response policies may need to be updated. In particular, breach notifications may now need to be made to both the UK Information Commissioner’s Office and the relevant lead supervisory authority in the EU.
- References to the GDPR may need to be updated to refer to the UK GDPR.
Binding corporate rules
Corporate groups relying on Binding Corporate Rules for intra-group transfers of personal data to territories outside the EU/UK should consider whether their Binding Corporate Rules need to be (a) approved by the UK Information Commissioner’s Office in order that they can be relied upon on for ongoing transfers out of the UK, or (b) validated by an EU supervisory authority to enable continued transfers out of the EU (if they were previously approved by the UK Information Commissioner’s Office).
Footnotes
1) The EU-UK Trade and Cooperation Agreement
2) Questions & Answers: EU-UK Trade and Cooperation Agreement
3) See Schedule 2, Paragraph 102 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020)