On Christmas Eve the UK and the EU concluded a Trade and Cooperation Agreement in principle.

We’ve set out the key points from a data protection perspective below.

The key take away is that transfers of personal data from the EEA to the UK can continue without safeguards for a period of up to six months from the end of the transition period while the European Commission considers whether to adopt an adequacy decision in respect of the UK. This means that there is no need (yet) to put SCCs in place to facilitate these transfers.

The Agreement will take effect provisionally in EU law on 1 January 2021, pending ratification by the EU Parliament in early 2021. The UK Parliament will be invited to ratify the Agreement tomorrow.

Data protection issues in the UK/EU Trade and Cooperation Agreement

  • EEA to UK transfers – the transfer of personal data from the EEA to the UK may continue without safeguards (e.g. standard contractual clauses) after the end of the transition period for a period of four months, which will be automatically extended by a further two months if neither the UK nor the EU objects. This is on the condition that the UK continues to apply the GDPR (as it is incorporated into national law, the “UK GDPR“). The period will end earlier if the European Commission adopts an adequacy decision in relation to the UK.
  • Direct marketing – the UK and the EU have both committed to ensuring that direct marketing communications are not sent to individuals without consent (although organisations in both the UK and the EEA will still be able to rely on the so-called “soft opt-in”).
  • Cooperation – the UK and the EU undertake to cooperate “at bilateral and multilateral levels” with respect to data protection, including through “dialogue, exchanges of expertise, and cooperation on enforcement“. This suggests that the ICO may continue to work closely with the European Commission, the European Data Protection Board and EU supervisory authorities going forward.
  • Data localisation – the UK and the EU have agreed that neither will be allowed to require data (including personal data) to be stored or processed in its territory.
  • Law enforcement – the Agreement provides that the UK and the EU’s cooperation in the area of law enforcement is subject to effective safeguards in their respective data protection regimes. Either party may suspend this cooperation in the event of serious and systemic deficiencies in the other’s data protection regime.

Related issues (not addressed in the Agreement)

  • UK to EEA transfers – the Agreement does not address transfers of personal data from the UK to the EEA, but these transfers can also continue without safeguards after the transition period because the UK has already designated EEA member states as providing an adequate level of protection of personal data for the purposes of the UK GDPR. This designation can be withdrawn at any time.
  • UK to non-EEA transfers – for now, the UK has adopted the same adequacy decisions as the EU, and transfers may therefore be made from the UK to these adequate jurisdictions without safeguards. These decisions may be revoked or amended, or added to, at any time.

How have the regulators responded?

Statement from the ICO  

  • Recommends UK businesses to work with EEA organisations during the 6 month period to put in place alternative transfer mechanisms as a “sensible precaution“.
  • Highlights that the UK has deemed the EEA states to be adequate “on a transitional basis

Statement from the CNIL (French only)

  • Confirms that the one-stop-shop mechanism will not apply to the UK anymore as of 1 January – “Only controllers and processors who have established a new main establishment in the EEA in accordance with the provisions of Article 4(16) of the GDPR will continue to benefit from [the OSS] mechanism“.
  • EU supervisory authorities have been working with the ICO to allow an orderly transition and adopt a “coordinated approach in dealing with existing complaints and cross-border cases involving the ICO“.

If you have any questions relating to any of the content above please do get in touch with a member of the team.

Author

Harry is a Senior Consultant in Baker McKenzie’s London office and handles all aspects of information technology and communications law. He acts for a broad base of information technology and communications products and service providers — assisting them in their contract negotiations and managing their disputes. He also practises in contentious intellectual property law.

Author

Paul is head of cybersecurity in the UK and a key member of our wider data protection team. For 15 years, Paul has guided clients through all types of major data security incidents as well as complex technology and data disputes. Paul pioneered an award-winning data breach and dark web scanning tool which was the first product of its kind in the legal market.

Author

John is an associate in Baker McKenzie's Intellectual Property and Technology team, based in London. He joined the Firm in 2016 and was admitted as a solicitor in England and Wales in 2018. He is also admitted as an attorney in the state of New York. His practice encompasses aspects of commercial, technology and intellectual property law. He has a particular focus on data protection.