Brexit: Where does the adequacy “bridge” lead to?

Those with an interest in privacy will have breathed a – measured – sigh of relief when the EU-UK Trade and Cooperation Agreement (“Trade Agreement”) was announced on 24 December 2020. The deal is a positive development that provides a platform for future cooperation between the EU and the UK in many areas.

Importantly, it includes an interim adequacy “bridge” under which the EU will continue to treat the UK as an adequate jurisdiction for up to six months pending any full adequacy finding for the UK. This means that, for now, personal data can continue to flow from the EU to the UK without the need for millions of contracts and impact assessments. Does that mean that there is no change on the privacy front post-Brexit? Emphatically not.

We consider what lies at the end of the adequacy bridge and the wider implications of the Trade Agreement on data.

The adequacy “bridge”

To recap, the EU General Data Protection Regulation contains restrictions on the transfer of personal data to third countries. At the end of 2020, the UK became a third country for these purposes, creating a potentially significant barrier to these data transfers. 

The best solution to avoid disruption to these transfers would have been for the EU to find that the UK has adequate data protection laws under Article 45 of the GDPR prior to the end of the transition period. However, it has been clear for some time that the deafening silence on such a decision having been made meant that an interim adequacy solution would be needed.

While the adequacy assessment and the negotiation of the Trade Agreement were notionally separate (a point that the EU Commission is keen to reiterate), most in the UK believe that the two were closely connected and that an adequacy finding was contingent on the Trade Agreement being finalised. However, adequacy could not then be granted instantly as it must follow the legal process under Article 93(2) of the GDPR which involves: (i) seeking an opinion from the European Data Protection Board; (ii) seeking the approval of the comitology committee; and (iii) making the draft decision available to the EU Parliament and Council.

In other words, the Trade Agreement keeps open a path for an adequacy finding, but that process will still take time. Accordingly, FINPROV.10A of the Trade Agreement states that transfers of personal data from the EU (and other EEA states) to the UK will not be treated as a transfer to a third country for an initial period of four months, extendable by a further two months unless either party objects.

This bridge is, however, subject to strict controls on data transfers. The UK must continue to apply its data protection law as at 31 December 2020 (principally the UK GDPR and Data Protection Act 2018). It must also not exercise powers under those laws to further relax the UK rules on transfers to third countries (such as finding new countries adequate, approving new Standard Contractual Clauses, BCRs, sector-specific codes of conduct or data certification mechanisms) unless:

  • the powers are exercised to bring the UK law into alignment with EU laws, e.g. by the UK approving the EU’s new Standard Contractual Clauses, drafts of which were published by the EU Commission in November last year; or
  • the EU-UK Partnership Council agrees the change.

The restriction on UK approval of new BCRs is particularly interesting, as every already-approved BCR is currently subject to an UK process that requires amendments and resubmission. Given these are existing BCRs, it may be that they are not “new” approvals and so do not require agreement of the EU-UK Partnership Council under FINPROV.10A.3e.

Prospects for a full adequacy finding

On the face of it, the UK has an exceptionally strong case for adequacy. The UK will incorporate the GDPR into domestic law after Brexit, meaning that its data protection laws are not just “essentially equivalent” to the GDPR but identical in all material respects.

However, in practice, the position is more complicated and must factor in a range of other issues such as UK Government surveillance powers under the Investigatory Powers Act 2016 (see analysis here). None of these additional factors presents an insurmountable barrier, but they will likely require close consideration and this assessment is underpinned by rights to data protection in the EU Charter of Fundamental Rights so there is limited scope to legislate around the problem. The views of the European Data Protection Board will likely be critical to the outcome of this process.

Certainly, the UK Government’s advice on this issue continues to be cautious, recommending that as “a sensible precaution…during the bridging mechanism, it is recommended that you work with EU/EEA organisations who transfer personal data to you to put in place alternative transfer mechanisms” should there be no adequacy finding. That doesn't mean that you should put in place lots of Standard Contractual Clauses now, but that you prepare to do so (to the extent you haven’t already, given how late in the day the Trade Agreement was announced). And if you’re entering into new arrangements that may cause data to be transferred after the bridge has expired, you should pre-legislate, wherever you can, for what happens in the event that there is ultimately no adequacy finding.

Transfers in the absence of adequacy

If there is no adequacy finding for the UK, those “alternative transfer mechanisms” will, in many cases, mean the use of Standard Contractual Clauses.

The use of those clauses is complicated by the CJEU’s decision in Schrems II, which requires EU exporters to conduct a case-by-case risk assessment of transfers made under the Standard Contractual Clauses. However, even here the six-month bridge should help as by the end of that period:

  • the EU Commission should have issued its new Standard Contractual Clauses containing Schrems II-compliant provisions; and
  • the European Data Protection Board should have finalised its draft Recommendations 01/2020 on measures to ensure transfers of personal data comply with Schrems II.

Both are likely to impose additional and burdensome obligations on the use of Standard Contractual Clauses but the position should, at least, be much clearer.

Other data protection issues

The Trade Agreement also contains significant and detailed provisions in relation to the handling of personal data in law enforcement and judicial matters but does not address some of the wider commercial complications resulting from Brexit.

For example, the UK Information Commissioner will cease to be part of the European Data Protection Board and one-stop-shop enforcement mechanism, albeit that the Trade Agreement contains provisions for some co-operation and dialogue on data protection matters (COMPROV.10(3)).

UK businesses must also continue to comply with the “frozen” GDPR in respect of existing personal data about citizens outside the UK, unless and until the UK is found adequate (Article 71, UK EU Withdrawal Agreement). In addition, UK businesses must comply with the EU GDPR to the extent they are caught by the offering and monitoring tests under Article 3(2), including appointing an EU representative (and vice versa for EU businesses caught by the UK GDPR).

Wider measures on digital trade

Finally, the Trade Agreement contains a specific chapter on Digital Trade. This contains provisions that in an ordinary Free Trade Agreement would be broad and ambitious. For example, it includes:

  • obligations not to require data localisation (DIGIT.6);
  • prohibitions on requiring prior authorisation for delivery of services electronically solely on the grounds it is provided online (DIGIT.9);
  • obligations to allow contracts to be executed electronically and recognise digital signatures (DIGIT.10 & 11);
  • obligations to take measures to build consumer trust and prohibit unsolicited direct marketing communications (DIGIT.13 & 14); and
  • obligations to endeavour to make government data open and accessible (DIGIT.15).

However, these provisions are subject to exceptions on general public interest or security grounds, including in relation to financial services and the potential restrictions on the transfer of personal data from the EU in the event the UK is not found adequate. The background to these obligations is also the existing high degree of regulatory alignment between the EU and the UK, meaning they are more likely to act to limit future divergence rather than require changes to domestic law to better integrate the EU and UK’s legal systems.

By Peter Church and Georgina Kon