Data Protection and the EU-UK Trade and Cooperation Agreement

On 24 December 2020 the UK and the EU agreed the EU-UK Trade and Cooperation Agreement ('TCA'). The TCA came into effect 1 January 2021 marking the end of the full status quo applied to the relationship between the UK and the EU during the transition period. The TCA outlines in principle the UK's future with the EU. 

In this article we explore the key provisions relating to data protection, including international transfers, data localisation, direct marketing and law enforcement.

Data Transfers

As negotiations went to the wire, organisations were forced to plan for a no-deal Brexit, meaning that the UK would be treated as a third country. In particular, a no-deal Brexit would have meant that transfers of personal data from the EEA to the UK would be treated like transfers to any other third country – requiring appropriate safeguards in accordance with Chapter V of the General Data Protection Regulation (GDPR). 

However, the TCA has provided a welcome, short reprieve. Under the TCA, the UK and the EU have agreed a "bridging period" to apply to data transfers between the EEA and the UK during which such transfers will not be treated as a transfer to a third country (i.e. additional safeguards are not mandatory). This is important as it has avoided the need for organisations to put measures into place. 

The "bridging period" applies until the earlier of an adequacy decision being granted, or 1 May 2021. There is a two month extension to 1 July 2021 which will apply automatically if an adequacy decision is not granted by 1 May 2021 and the parties do not object. 

The "bridging" period is conditional on the UK not making any changes to its data protection legislation, or exercising its designated powers during this time. Such designated powers include making any decisions relating to data transfers or approving new binding corporate rules without the approval by the European Partnership Council (Art. FINPROV.10A). 

Transfers of personal data from the UK to the EU are not covered in the TCA. However, under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 ('EU Exit Regulations') the UK grants all EEA member states an interim adequacy decision and also permits UK organisations to continue to rely on the 13 adequacy decisions granted by the EU.

Data Localisation

A key aspect of the TCA is the UK and EU's commitments to ensuring a high level of data protection whilst also facilitating trade in the digital economy:

"Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade" (Art. DIGIT.7).

The TCA provides that the UK and EU will not restrict cross-border data flows and sets out a list of types of provisions which would be considered a restriction, such as requiring localisation requirements for the storage or processing of data in a given territory, requirements to use computing facilities in a specific territory and prohibiting the storage of data in the other party's territory (Art. DIGIT 6). 

Direct marketing

The TCA also sets out high-level commitments around direct marketing by email using public telecommunications (Art. DIGIT 14). Such commitments include: 

• protecting users against unsolicited direct marketing; 
• using a consent based model for direct marketing by email, subject to compliance with local laws, save for marketing in the context of a previous supply of good or services (in which case soft opt in rules may apply); and
• clearly identifying direct marketing communications, identifying on whose behalf they are made and enabling users to request cessation free of charge and at any time. 

Law enforcement

The TCA also provides commitments around law enforcement and judicial cooperation in criminal matters for the purposes of "prevention, investigation, detection and prosecution of criminal offences and the prevention of and fight against money laundering and financing of terrorism" (Art. LAW.Gen 1). It is important to note that Part 3 does not cover national security. 

The basis for cooperation is respect for the fundamental rights and freedoms of individuals, including as set out in the European Convention on Human Rights and the Universal Declaration of Human Rights. 

Part 3 includes comprehensive provisions relating to sharing of security-relevant personal data such as:

• the exchange of DNA, fingerprints and vehicle registration data;
• the UK's cooperation with Europol and Eurojust, and access to data held by these institutions; 
• the transfer and processing of passenger name record data by the United Kingdom with respect to flights between the EU and the UK; 
• the sharing of criminal records; and
• mutual cooperation and assistance between law enforcement and judicial authorities.

Many of the provisions of Part 3 align this arrangement with the principles detailed under the General Data Protection Regulation 2016/679 (GDPR) and the Law Enforcement Directive (EU) 2016/680. 

Regulatory Independence

Whilst the UK and EU have committed to shared data protection values, and to promote high international standards of data protection, the parties have retained the freedom to regulate privacy and data protection independently (Art.GRP.1). However, any adequacy decision may be revoked if regulatory divergences lead to UK data protection law no longer being considered "essentially equivalent" to the law in the EU. 

What does the "bridging period" mean for UK organisations?

It is important to remember that the "bridging" period only applies to data transfers. There are now two parallel data protection regimes, and you should consider other implications that Brexit may have with respect to your data protection arrangements and make any necessary adjustments.

Below are 10 recommendations you should consider where processing personal data post-Brexit. 

1.  Map data flows – How do we know which arrangements include cross border processing? 

You should map your organisation's international flows of data (including transfers between the EEA and the UK) in order to assess what action to take in respect of transfers of personal data outside the UK. 

The ICO recommends that you prioritise mapping data flows for transfers of large volumes of data, special category data, criminal convictions data and business-critical transfers of data.

As set out above, the UK has granted all EEA member states an interim adequacy decision and permits UK organisations to continue to rely on the 13 adequacy decisions granted by the EU. So you are not required to put in place any additional data transfer mechanisms for transfers from the UK to these countries. 

However, if transferring personal data outside the UK to third countries, you should put in place appropriate safeguards so that such transfers are lawful (see point 2 below for transfers from the EEA to the UK). 

2.  EEA to UK transfers of personal data - What safeguards should we now have in place?

If your organisation transfers personal data from the EEA to the UK, you should prepare for the possibility that the EC may not grant the UK adequacy by taking steps now to implement appropriate data transfer safeguards before the end of the "bridging" period. 

One of the safeguards available to you under the GDPR is to enter into the EC's approved Standard Contract Clauses (SCC). If you choose to implement the SCCs to enable transfers of personal data from the EEA to the UK, you should consider whether any further requirements are needed as a result of the recent Schrems II decision (see point 3 below).

3.  Schrems II – Do we need to undertake a transfer risk assessment? 

The decision of the European Court of Justice in the Schrems II case requires organisations that transfer personal data to third countries to carry out case-by-case risk assessments of whether the relevant third country's law offers a level of personal data protection that is essentially equivalent to that provided in the EU. 

This requirement does not apply to third countries that are recognised by the EC as providing adequate data protection. The EC currently recognises Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection. Therefore, unless the EC grants the UK adequacy before the end of the "bridging" period (see point 2 above) you will also need to conduct a risk assessment in respect of any transfers of personal data your organisation makes from EEA member states to the UK.

4.  EU-US Privacy Shield – Is the EU-US Privacy Shield still a valid safeguard for transfers from the UK to the US? 

The decision in Schrems II found the US-EU Privacy Shield to be invalid. This means it is no longer a lawful way to transfer personal data from either the EU or UK to the US. 

This decision will form part of UK law, and therefore you need to consider what other measures should be put in place to cover transfers from the UK to the US, such as the SCCs, to ensure that such transfers continue to be lawful. The same risk assessment as discussed at point 3 above should also be conducted in respect of these UK-US transfers.

5.  EU representative – Do we need to appoint an EU representative? 

If your UK-based organisation does not have an establishment in the EEA, but either (i) offers goods and/or services to individuals in the EEA, or (ii) monitors the behaviour of individuals in the EEA, you will need to appoint a European representative in one of the EU Member States of those individuals. 

This EU representative may be an individual or a company. The representative must be physically based in the EU, and be authorised to act on your organisation's behalf (including dealing with relevant data supervisory authorities) with respect to compliance with EU data protection law.

6.  Customer documentation – Do we need to update our privacy notices? 

You should update your organisation's privacy notices and other data subject-facing documents (such as standard terms and conditions) in order to provide details of your EU representatives, refer to the UK as a third country and make reference to either UK data protection law or EU data protection law, as appropriate.

7.  Internal documentation – Do we need to update our policies and procedures? 

You should review and update your organisation's internal data protection policies, procedures and records, such as data breach notification procedures and data protection impact assessments, to reflect changes to international transfers and supervisory authority notification requirements.

8.  Data Protection Officers – Should we change our data protection officer? 

If your organisation needed to have a Data Protection Officer (DPO) prior to 1 January 2021, it will continue to be required to have a DPO. If your DPO is based in the UK, you should review whether your DPO can continue to be "easily accessible" to each EU establishment, relevant supervisory bodies and EU data subjects. Official guidance recommends that an organisation's DPO should be located in the EU, unless the DPO's activities can be carried out more effectively outside the EU.

9.  EU supervisory authority - Will the ICO remain our organisation's lead supervisory authority? 

As of 1 January 2021, the ICO is no longer an EU supervisory authority. If your organisation had the ICO as its lead supervisory authority, you should identify an EU supervisory authority if your organisation continues to maintain an EEA establishment and engage in cross-border processing. That EU supervisory authority is likely to be your organisation's lead supervisory authority now that the transition period has ended. 

If a complaint was made before 1 January 2021, and your organisation's lead supervisory authority was the ICO at that time, the ICO will continue to be the authority investigating and bringing any enforcement action for that complaint. In these circumstances a supervisory authority in another EU Member State will provide input, but would not be able to bring separate enforcement action.

10. Is EU data protection law still applicable in the UK? 

The EU data protection legal and regulatory framework will continue to apply after 1 January 2021 for UK organisations that offer goods or services in the EU or monitor the behaviour of EU data subjects. As confirmed by the ICO, you should continue to follow their existing guidance regarding compliance with EU data protection law.

Conclusion

Whilst the "bridging" period provides a period of respite for UK organisations around transfers of data from the EU to the UK, your organisation should continue to consider the other implications of Brexit and possible changes required to your organisations data protection arrangements. 

There is no guarantee that UK will be granted an adequacy decision, therefore UK organisations should continue to prepare and implement appropriate data transfer mechanisms to avoid any potential disruption to its business and the flow of personal data from the EEA to the UK. 

Mini Bytes

• ICO's data sharing code of practice: The ICO has published its data sharing code of practice providing practical guidance for organisations to share personal data in compliance with data protection law. The code sets out a number of considerations and good practice recommendations for organisations which intend to share personal data including: (i) identifying the objectives of the sharing activity and the legal basis for such processing; (ii) carrying out a data protection impact assessment even if not legally required; (iii) demonstrating a compelling reason to share children's data; (iv) arranging regular reviews of data sharing arrangements; and (v) ensuring that all decisions with respect to data sharing are documented. The code does not impose additional obligations on organisations but will be taken into account by the Commissioner where assessing if an organisation has complied with its obligation under data protection law when sharing personal data.
• Pownall Marketing fined £250,000 for nuisance calls: The ICO has ordered Pownall Marketing Limited to pay a fine of £250,000 for a serious breach of the regulations 21A and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs). The Information Commissioner initiated an investigation after receiving a significant number of complaints about unsolicited direct marketing calls from Pownall relating to claims management services. The investigation identified that Pownall had over a 5 month period made 365,369 unsolicited calls to individuals who had not provided prior consent to receive such calls and Pownall also failed to identify itself as the company contacting the individuals. The Commissioner identified as an aggravating feature of the case Pownall's attempt to have the company struck off the Companies House register following conclusion of the investigation, which appeared to be "a cynical attempt to avoid regulatory action".
• Defendants receive custodial sentences in Computer Misuse Act prosecution: Kim Doyle and William Shaw were each sentenced to eight months imprisonment, suspended for two years, after pleading guilty to conspiracy to secure unauthorised access to computer data. Doyle also plead guilty to selling unlawfully obtained personal data. Doyle had, whilst working for and unbeknownst to RAC, compiled and transferred lists of road traffic accident data containing personal data to Shaw, the director of an road accident claims firm, which Shaw used to make nuisance calls. The RAC was alerted to a potential data leak after being a contacted by Arval, a fleet management company, about unsolicited calls received by one of its drivers who had been involved an accident. The ICO stated in relation to the case that "offenders must know that we will use all the tools at our disposal to protect people's information and prevent it from being used to make nuisance calls". 
• Update to the joint statement on global privacy expectations of video teleconferencing companies: The ICO released an update on the joint statement of global privacy expectations of video teleconferencing companies. On 21 July 2020, the ICO and five other data protection and privacy regulators sent an open letter to Microsoft, Cisco, Zoom, Houseparty and Google recognising the value of video teleconferencing, setting out the concerns and risks, and providing video teleconferencing companies with principles to guide them in avoiding privacy risks. All the addressees except Houseparty have responded highlighting various privacy and security best practices and tools they advise are implemented or built-in to their video teleconferencing services. Going forward, the joint signatories will invite further discussion with these companies on the privacy and security safeguards and issue a more substantive public statement on their findings, learnings and outcomes from this activity in 2021.

With thanks to Julia Bell and Aruse Okaisabor for their contributions.