On January 1st, the new EU-UK Trade and Cooperation Agreement came into effect – providing the legal basis for trade between the two to continue.
As part of that last-gasp agreement, the EU has provided the UK with a 'bridging period' that permits UK businesses to continue processing European consumer data in line with GDPR for a six-month period.
Following that grace period, the EU will need to make an adequacy decision for UK businesses to continue transferring consumer data from the EU to the UK in the current manner. So, what does this mean for UK businesses?
GDPR EU VS. GDPR UK
The new trade agreement results in two versions of GDPR living side by side. The EU's GDPR remains unchanged, but the UK now falls under the jurisdiction of its own separate version of the data protection regime – GDPR UK.
Despite this legal disparity, for the time being, UK businesses can continue to process European consumer data as if the UK was still an EU member state. Once the six-month 'bridging period' is over, however, businesses may need to make changes to their procedures to ensure data compliance with both GDPR UK and GDPR EU.
The good news is that, if an adequacy decision is reached, data transfers will be able to continue without the need to implement any additional safeguards. This would be the best outcome for UK businesses because it would lead to the least amount of friction.
Whether an adequacy decision can be reached depends just as much on the UK government as it does on the EU. Unfortunately, the UK government has (thus far) made no guarantees that it intends to continue with GDPR UK in its current format. That decision could spell disaster for the adequacy agreement.
What seems fairly certain at this stage, is that even once the bridging period concludes, data transfers from the UK to the EU will be able to continue without changes. However, the British government has conceded that even this is currently under review.
No adequacy?
In the event that the EU decides against an adequacy decision, UK businesses would be left needing to implement additional safeguards to legally transfer data across the EU-UK border. This puts British businesses squarely in limbo, because they can't be sure whether they need to prepare.
As a result, legal advisors at Dechert LLP are already warning that businesses who rely on regular transfers of data from the EU to the UK "would be prudent to put in place fall-back measures to safeguard against interruptions to data flow".
Businesses may need to appoint a new data protection representative to formally handle compliance within the EU, and they may need to update privacy notices, internal policies, contracts and other documents to reflect obligations in each jurisdiction.
In addition, businesses may need to alter the legal basis they rely on to process data lawfully. And they may need to implement additional safeguard such as Standard Contractual Clauses, binding corporate rules, approved codes of conduct, and approved certification measures – in order to permit for the legal flow of personal data from the EU to the UK.
This scenario would create a lot of extra red tape for UK-based organizations, which is why it is vital for the UK government to facilitate the European Commission's route to an adequacy decision as quickly as possible.
Is an adequacy decision likely?
One can only hope that the road to an adequacy decision within the bridging period is there. However, for the time being, nothing is guaranteed. Also, previous adequacy decisions stretched out over extended periods of time; a concerning omen. The EU's adequacy agreement with Japan, for instance, took 18 months to achieve.
The UK's version of GDPR, which is tailored by the UK Data Protection Act 2018 (DPA), could itself potentially cause a barrier to the adequacy decision. The UK's original implementation of GDPR – as permitted by EU law for all member states – contains certain derogations.
For instance, the UK's DPA exempts the application of GDPR in cases where data processing is necessary to safeguard national security or for defense purposes.
As an active member of the EU, these kinds of legally permissible derogations were non-problematic. However, following Brexit, there is a chance that any deviances from the original EU regulation might impede an adequacy agreement.
In addition, the EU has clarified that if the UK amends any of the data protection laws that were in place at the time of the trade agreement – or opts to exercise certain powers contained within DPA or GDPR UK without consent from the EU Partnership Council – the 'bridging period' could abruptly terminate.
Ultimately, it all boils down to whether the UK government is willing to continue implementing the European Union's core values regarding consumer data privacy, and whether the EU Commission feels that the UK's version of GDPR, as tailored by DPA, is currently aligned with GDPR EU sufficiently to allow data transfers without the need for additional safeguards.
Unfortunately for UK businesses, six months is an extremely short period of time. And, if history is anything to go by, an adequacy decision may not have been reached at the end of the bridging period.