• Maria Polycarpou

An ‘Adequate’ Solution? Assessing EU-UK Data Flows Post Brexit

The 24th of December brought a highly anticipated, last-minute deal between the United Kingdom (UK) and the European Union (EU) [1]. The General Data Protection Regulation (GDPR) contains a three-tier mechanism that allows the facilitation of data transfers from the EU to 3rd countries. Under the regime, international transfers are set apart from intra-EU transfers, thus post Brexit the UK would have been subject to greater national security scrutiny. However, under the new Brexit agreement, those processing personal data in the UK and EU can breathe a sigh of relief (at least for now). Article FINPROV.10A of the agreement: Interim provision for transmission of personal data to the United Kingdom, means the UK will not be treated as a 3rd country under the GDPR until an adequacy agreement is reached subject to conditions. This article will explore the intricacies and implications of this decision for businesses while discussing themes of ‘adequacy’.

What does it mean to be ‘adequate’?

Under the GDPR, the triparted regime for international transfers comprises of the adequacy assessment, standard contractual clauses and binding corporate rules. This article will focus on the first of the three methods. Data transfers between EU and non-EU states is permissible provided that the protection given to personal data when it leaves EU borders is ‘adequate’. The ‘adequacy’ assessment is governed by Article 25 of the GDPR, where factors including the domestic law, overall legal framework and international commitments to the protection of private life and basic freedoms of individuals of the third country are scrutinized. The reason behind such regulation of data transfers beyond territorial borders is to serve the protection fundamental rights mechanism of Data Protection Law. The rule would not be fit for purpose if it allowed personal data to flow from jurisdictions or controllers offering a high level of protection to those that offer significantly less.

Under the notion of equivalence, the assessment itself actually requires a higher standard of protection from non-EU countries than EU countries, since rules of national security rules are taken into account. This is a result of the high profile Schrems II judgement. In contrast, the EU does not control national security processes within member states; thus, the GDPR assumes that intra-EU data transfers are adequate, not considering member state national security processes. Underpinning this approach is the principle of mutual trust between EU member states, that they all uphold the rule of law because they have all signed up to the EU charter and EU convention of fundamental rights. Post-Brexit, the UK will cease to benefit from this notion of mutual trust and will be subject to national security scrutiny as the EU makes its adequacy assessment. A finding of adequacy creates a ‘no questions asked’ policy for data flows to the third country, allowing it to access the EU ‘one-stop-shop’ to transfer data freely. Such a finding would offer greater legal certainty for UK businesses engaged in European Union and third-country data sharing.

Current Data Protection Agreement

Under the FINPROV.10A article, transfers of personal data from the EEA to the UK can continue as the UK will not be treated as a ‘third country’ for the purposes of GDPR. This is until the EU Commission adopts an ‘adequacy decision’ regarding the UK, or until the 30th April 2021, extendable to 30 June 2021 unless either party objects. During this period, the UK has agreed not to make any changes to its own data transfer regime[2] without the EU’s approval, including adopting new standard contractual clauses or binding corporate rules (except changes bringing UK law in line with EU law). The UK has already committed to unhindered data transfers into the EU, but this is subject to review after the interim period elapses.

The ultimate impact of the interim provisions is that there are a few more months until the adequacy decision has to be made. This decision can be seen as either a bid for more time for the EU to form its own strategy or an optimistic sign that the EU may grant the UK adequacy status. Should the adequacy decision be rejected, the UK will have to resort to the latter two measures for data flows, such as standard contractual clauses and binding corporate rules to comply with the EU regime, as well as take into consideration any specific member state particularities.

The best-case scenario for the UK would clearly be an adequacy grant. Although it is an onerous assessment, adequacy has been granted for multiple jurisdictions including Argentina, Guernsey, Uruguay and Switzerland, showing that this feat is not impossible. What is more, adequacy is possible for a territory, sector or international organization. For example, the EU has deemed only Japan’s private sector to be adequate under the GDPR. This may provide hope that, should the UK not be deemed adequate as a whole, sectors or organizations could still be deemed compliant.

It is important to remember that a third country granted adequacy status should not loosen the reigns of compliance to the regime, since adequacy status can be revoked. It should not be looked like a static checklist, but rather as a continuous obligation that can be challenged by the European Court of Justice. The UK should, therefore, remain vigilant in order to avoid undue costs and complexities on its businesses, even if it is considered adequate.

In the Interim

The current interim period is presumably intended to allow time for the EU and the UK to each unilaterally adopt an adequacy decision, recognising the other jurisdiction as offering adequate protection for transferred personal data. Companies should use this interim period to find alternative workarounds in case of a lack of adequacy finding. For instance, to avoid the worst-case outcome, many UK-headquartered multinationals are looking at how best they can position a subsidiary in the EU as their “main establishment” in the EU; for efficiency, businesses might even decide to shift control of data protection matters entirely out of the UK, rather than split control between the UK and the EU. For now, businesses are protected from a legal limbo and possible fines under the EU’s strict data privacy rules and should, thus, use their time wisely.

[1] “Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part.” [2] (The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019)