86: The effect of Brexit on international data sharing
The start of this year brought us to the end of the Brexit transition period. It also brought concern over the uncertain future of personal data, in particular how personal data may be shared across UK borders.
In this blog post we look at the post-transition rules for transferring personal data into and out of the UK.
Transferring personal data out of the UK
You may be pleased to read that transfers of personal data outside of the UK were largely unaffected by the end of the transition period. The UK has legislated to permit transfers of personal data to EEA states and countries which already had an EU adequacy decision at the end of the transition period. For transfers to any other countries, organisations can continue to use the same safeguards that were available before the end of the transition. For example, transfers that relied on the European ‘standard contractual clauses’ can continue to rely on them.
This means that the rules on transfers out of the UK are effectively the same as they were during the transition, at least for the time being.
The Government retains wide-ranging powers to change these existing rules. In future the Government may make new ‘adequacy regulations’ (the UK equivalent of an EU ‘adequacy decision’), which could permit free transfers to a wider range of destinations. We could also see the government issuing new UK versions of the standard contractual clauses for international data transfers.
Receiving personal data from outside the UK
During the transition period, personal data could be shared freely between the UK and EEA states without organisations having to take on additional provisions and safeguards.
Shortly before the end of the transition the UK and EU negotiated a ‘bridging mechanism’, during which personal data continues to flow freely from the EU to the UK. The ‘bridge’ lasts until the end of April this year, and can be extended by a further two months.
The ‘bridge’ is supposed to give the European Commission time to complete what is known as an ‘adequacy decision’. The European Commission has the power to decide whether a country outside the EU offers an adequate level of protection over personal data. A positive adequacy decision would mean that the Commission has decided the UK can guarantee that personal data in the UK has a level of protection essentially equivalent to the level of protection ensured within the EU. That would mean personal data could continue to flow freely from the EEA to the UK, without requiring organisations to put additional compliance measures in place. One study has shown that the cost to UK businesses of having to put additional provisions in place could be up to £1.6 billion. Without an adequacy decision, the UK also risks a reduction in trade and investment and may see an increase in businesses relocating to outside the UK.
The UK’s data protection regime is based almost entirely on EU law, so it might have seemed obvious that the UK would be granted an adequacy decision. However, some commentators had worried that the use of data by the UK’s national security apparatus might have prevented this.
Despite those doubts, the Commission published a draft adequacy decision in favour of the UK on 19 February this year. This news will bring relief to many organisations who had projects on hold until clarity on transferring data from the EEA was provided.
Although this draft adequacy decision is promising, it must still be reviewed by the European Data Protection Board and be given the go-ahead by representatives from the EU member states.
Long term implications of the adequacy decision
Even if the UK is granted a positive adequacy decision, that does not provide a permanent end to the uncertainty around transfers of personal data from the EEA to the UK. The draft adequacy decision states that there will be a review at intervals of not more than four years. Developments in the UK will be monitored and may result in the adequacy decision being amended or even revoked.
The adequacy decision could also be challenged in the courts. The adequacy decisions which underpinned the US Safe Harbour and Privacy Shield schemes were both successfully challenged. The risk remains that the UK’s adequacy decision could go the same way.
Now that the UK is no longer bound to follow EU laws, the UK may decide to take its data protection regime in a different direction and diverge from its EU counterpart. For example, in case C-623/17 Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others the UK’s position on mass surveillance conflicted with EU privacy rights; perhaps the UK will now feel free to pursue its interests without external restrictions.
Gimme! Gimme! Gimme! (an adequacy decision)
As Abba famously said, ‘breaking up is never easy’ and the UK breaking away from the EU has confirmed that to be true. However, with the promising news of the draft adequacy decision in favour of the UK, this break up might just get a little easier now that the UK is unlikely to face additional restrictions on international data sharing. However, knowing the UK and knowing the EU, we should not assume that it will be smooth sailing from here. The EU’s obligation to monitor the UK’s data protection regime means that organisations wishing to transfer personal data into the UK would do well to keep an eye out for further developments.
‘Gimme Gimme Gimme’ (Abba, Gimme Gimme Gimme (A Man After Midnight)
Enjoying the blog? Why not try the Brexit Blog playlist on Spotify.