On 24 December 2020, the European Union (EU) and the United Kingdom (UK) signed the EU-UK Trade and Cooperation Agreement (the “Trade Deal”) to provide an ordered and more certain outcome for the end of the transition period on 31 December 2020. A process of ratifications will take place in January 2021. A no-deal Brexit has been avoided, but this Trade Deal has been described as “thin.” The Trade Deal includes a zero-tariff regime for many goods. The UK economy is approximately 20% in goods, leaving the majority 80% of services sectors with operational uncertainties. The EU’s combined economy is 25% goods and 75% services. From a data protection, General Data Protection Regulation (GDPR) and information security perspective, the Trade Deal provides some clarifications. However, there are still uncertainties to be worked out in the coming months and years.
UK Data Protection Adequacy
The UK will not receive a data protection adequacy decision from the EU before 31 December 2020. As a result, the Trade Deal has extended the data protection status quo that operated during the Brexit transition period, for a further 6 months to June 2021. UK data protection adequacy is not guaranteed in June 2021 and adequacy could be withheld by the EU, but the language of the Trade Deal appears optimistic. An adequacy decision will allow personal data to flow freely from the UK to the EU/European Economic Area (EEA) and from the EU/EEA to the UK, without the need to use the international data transfer mechanisms in the GDPR designed for non-EU third countries. The Trade Deal states that the UK will not be considered a third country for EU/EEA to UK data transfers, for the purposes of EU GDPR, during the agreed extension period. Companies and organisations have a grace period, but still need to plan for the future based on an adequacy decision and also non-adequate third country status.
The need for new EU and UK Data Protection Representatives
Whatever the outcome of UK data protection adequacy decision and its timing, the UK remains outside the EU. This has been a legal reality since 31 January 2020. Companies and organisations (though, not public bodies) without a presence in the EU, offering goods, services or monitoring EU citizens in the EU, will need to appoint an EU Data Protection Representative, in one of the EU’s member states, as soon as possible. This is a legal requirement under Article 27 of GDPR. The EU-UK Withdrawal Agreement and related changes to UK data protection laws require UK Data Protection Representatives for organisations based outside the UK, without a presence in the UK, who offer goods, services or monitor UK citizens in the UK. Companies and organisations, in the UK, EU, EEA and around the world should conduct gap analysis and determine whether these services are legally required.
The UK Information Commissioner’s Office (ICO) reduced role
The ICO is one of the largest and most active data protection and GDPR regulators. Its English language output has a substantial impact on large parts of the world and on international organisations. Brexit means that it is no longer an EU Supervisory Authority under GDPR and so companies and organisations should repatriate key EU GDPR roles to other Supervisory Authorities based within the EU. Ireland’s Data Protection Commission is a near-neighbour substitute. These EU GDPR roles include registering Data Protection Officers, registering Binding Corporate Rules (BCRs), making referrals to the Court of Justice of the European Union (CJEU) and participating in the work of the European Data Protection Board (EDPB) and European Commission. The ICO’s future output will bind UK companies and organisations and foreign companies doing business in the UK. The extent to which most EU, EEA and international companies, who have an EU lead GDPR Supervisory Authority, will be bound by its guidance, codes of practice, decisions and enforcement is uncertain. It is also unclear how closely the ICO will consider or follow the opinions, recommendations and decisions of the EDPB, CJEU and the European Commission. The ICO will have very little direct legal obligation to do so, going forward. The ICO’s role in the maturing and development of the EU’s GDPR will reduce over time.
The Trade Deal: Clear for Goods, More uncertain for Services
The service sectors in the UK and EU generate, use and share a lot of personal data and special categories of personal data. The Trade Deal is focused primarily on goods, security cooperation, trade dispute resolution mechanisms and other discreet areas of trade and cooperation. Data flows in many services sectors such as financial services, information technology, business services, professional services, ecommerce/online retail, leisure, tourism, travel, sports, the arts, entertainment and personal services are affected by Brexit. Established data flows will be changed by new trading restrictions, new processes and limits on data sharing. New data flows will be created that companies and organisations must map, risk assess, manage and add information security protections. Businesses and organisations in the UK may increasingly turn to non-EU partners, suppliers and customers as UK government policy promotes global trade and new international trading corridors. This will create both challenges and opportunities and require better management of international data transfers, supply chain risks, information security resilience, human rights compliance risks and geopolitical risks.
Complexities in Information Security and Cybersecurity
As the UK is no longer a member of key EU institutions, the immediate future will be uncertain as security, information security and cybersecurity relations are re-established or reconstituted. The UK will lose direct member access to the European Union Agency for Cybersecurity (ENISA), Europol and Eurojust. Cooperation on cross-European cybersecurity threats, risks and responses will be negatively affected in the short to medium term. Companies and organisations should monitor these relationships and bolster their individual cyber defence capabilities. Businesses operating in or enabling critical national infrastructure or regulated sectors such as financial services, healthcare, pharmaceuticals and high value engineering, will need to adopt more substantial measures. Will there be future conflicts over whether UK or EU/EEA cybersecurity standards will apply between UK and EU/EEA partners? In the longer term, will international businesses choose to mandate EU/EEA information security standards over UK standards, or adhere to both at additional costs? Companies and organisations will need to strategize about appropriate solutions and sector norms.
Other Immediate and Future Impacts: Work, Travel, Employee Data, Procurement, Immigration, Professional Qualifications and related areas
Personal data requirements, collection, storage and sharing are affected in many common areas, impacting many companies, organisations, supply chains and staff mobility. Human Resources departments, already facing data protection and cybersecurity challenges from the coronavirus pandemic, will faces new, fast changing and unresolved data flows of employee data, including proof and authorisation of professional qualifications. Work permits, visa applications and new immigration rules will diversity data sets and introduce high risk data processing. Other departments and functions like sales, marketing, finance, compliance, legal, audit, information security and procurement will face immediate and longer term data and cybersecurity challenges. Companies and organisations will be in a constant process to realign, overcome uncertainties and fill gaps. The future will require embracing new ways of working together, doing business and sharing data and information between the UK, EU, EEA and globally.
For assistance with Brexit, GDPR and EU data flows, contact PrivacySolved:
London +44 207 175 9771
Dublin +353 1 960 9370