The EU Trade Agreement and Data Protection

On Christmas Eve 2020 the EU and the UK finally managed to come to a provisional agreement on their future trade and cooperation. This agreement (which is actually a group of linked agreements) covers a wide range of matters but has specific provisions relating to Data Protection which are important.

The first point to note is that the data protection provisions are intended to be temporary in nature. Ultimately the UK is expected to apply to the European Commission for an adequacy decision which will then designate the UK as an accepted place to process the data of EEA nationals. Therefore the deal is not the end state of UK/EEA data protection arrangements and things are likely to change again when that adequacy decision arrives. There is also no certainty as to when exactly that will be but the Declarations document states (on page 25) that the Commission will “promptly launch” the process for the making of an adequacy decision.

In the meantime there is a standstill mechanism for data flows set up by the Trade Agreement (Article FINPROV.10A). This allows free data transfer into the United Kingdom for four months from the date the new Trade Agreement comes into effect. It can be extended for a further two months (so a maximum of six months) and this will happen automatically unless there is a specific objection made. This free transfer will also end if the UK alters its own data protection regime or when the European Commission makes an adequacy decision.

Longer term, there are provisions to try to keep data protection standards harmonised within the UK and EU. So, while there is a freedom for each party to do their own thing they have agreed that they will not set up a regime which bars data being transferred to the other party, requires data to be stored or processed in a specific place, or which would bar onward transfer to another place for storage or processing. However, there is a permission to impose restrictions on cross-border data transfer as long as those restrictions are general in nature and apply to a range of different sectors. How much this will matter is unclear. The EU would not be able to adopt targeted data protection provisions anyway as its own internal rules prevent it from doing so. This seems to be more of a carve out for the GDPR and its powers to control cross-border transfers and require that they meet similar standards to those found inside the EU.

Importantly, nothing in the Trade Agreement seems to let UK companies off from being required to have a GDPR representative inside the EU, which is required by Article 27 of the GDPR. I wrote about this requirement in more detail here. Therefore any UK organisation that wishes to process the data of EU nationals appears to require a GDPR representative inside the EU, notwithstanding the terms of this Trade Agreement. I would not expect this to change as a result of an adequacy decision either.

There is a new Partnership Council set up by the Trade Agreement which is intended to manage the transition process. This is empowered to make recommendations on the issue of personal data flows (Article INST.1(4)(h)). Under this are a series of committees which deal with different parts of the Trade Agreement. The Trade Partnership Committee seems to be the one that will be mainly dealing with Data Protection although it deals with a lot of other things as well so it might not devote a lot of time to this. There is also a further Trade Specialised Committee on Services, Investment and Digital Trade which seems to have a tighter focus on data matters. In practice, I suspect the EU side of these recommendations is going to be heavily influenced by existing GDPR bodies such as the European Data Protection Board. It is also worth noting that while the UK is likely to view recommendations as little more than suggestions, the manner of operation of the EU system tends to mean that recommendations are often seen as being fairly close to actual rules.

How much the UK will diverge on the issue of data protection in future is unclear. The Trade Agreement states in its preamble (on page 6) that it recognises the autonomy of both parties and their rights to regulate a range of things for themselves, including privacy and data protection. This right was “reaffirmed” in a number of other parts of the Trade Agreement. Undoubtedly the UK government had a hand in inserting this to make clear that it had the right to do its own thing if it wanted to. However, the same preamble also states that the parties recognise the value in free flow of data while respecting data protection rules and so there is clearly a warning that excessive divergence could undermine that free flow. In addition and adequacy decision would be put at risk if we were to sharply alter our data protection regime so that the basis on which it was made was put at risk. As I wrote here it would also be difficult for business to manage a divergent regime because they would then, in practice, have to comply with both the UK and EU regimes.

Ultimately, the Trade Agreement will allow data flows to continue freely once the UK leaves the EU. However, as with other things, they will not be the same and UK businesses that are processing the data of EEA nationals will need an appropriate GDPR representative inside the EU. JMW is equipped to assist with this process and has already built up considerable expertise in arranging GDPR representatives in several EU countries.