On Christmas Eve, the EU and UK announced that a Trade and Cooperation Agreement (TCA) had been finalised. With it, came a sigh of relief from data protection practitioners everywhere. This is because the TCA provides an extension period, of a sort, to allow the European Commission time to conclude its adequacy assessment of the UK. Without this, EEA-UK data transfers would otherwise have been restricted at the end of the Brexit transition period.
The main points of the TCA relating to data protection are set out below.
1.) Data transfers from the EEA to the UK…
- The UK shall not be treated as a third country for an interim period of four to six months from 1 January 2021. This is to allow time for the European Commission (EC) to finalise its adequacy assessment of the UK. The purpose of the adequacy assessment is for the EC to decide whether the UK provides “essentially equivalent” protection for personal data as the EU and, therefore, whether transfers of data may be permitted without the need for organisations to take further measures.
- The interim period will last for a minimum of four months and will be automatically extended to six months, unless either the UK or the EU unilaterally objects. The application of the interim period is subject to two main conditions: (i) the UK must not make any changes to its data protection law; and (ii) the UK data protection regulator must not approve new transfer mechanisms or Codes of Conduct, without the consent of the EU-UK Partnership Council (the Partnership Council will oversee the TCA and make recommendations as to its functioning).
2.) The UK’s entitlement to make changes to its data protection regime following the expiry of the interim period remains subject to the wider provisions of the TCA, and compliance with the fundamental principles of the EU General Data Protection Regulation which are set out in the TCA.
3.) There are also commitments to:
- ensure that individuals are protected against unsolicited direct marketing communications;
- not to restrict cross-border data flows; for example by requiring data localisation or to use locally certified or approved computing facilities – this provision will be kept under review and assessed within three years;
- share Passenger Name Records and vehicle registration information (in the context of international travel); and
- cooperate in relation to criminal record information (including fingerprint records) and DNA.
The UK Information Commissioner’s Office (ICO) has issued a statement confirming the interim period, but recommending that organisations nevertheless consider putting in place data transfer mechanisms during this period, as a “sensible precaution” to safeguard against any interruption to transfer of personal data.
Whilst the interim period is welcome, organisations must remember that this respite only applies in respect of data transfers. Organisations still need to appoint an EU and / or UK representative and update their privacy notices accordingly. Also, it is by no means “a given” that the UK will be afforded adequacy status. It is therefore important to use this time to consider which data transfer mechanisms and technical, organisational and contractual measures may need to be implemented in order to legitimise transfers of data from the EEA to the UK.