Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

BREXIT: timescale set for data protection 'adequacy' decision

The European Commission will aim to reach a decision on whether to endorse UK data protection standards before the end of 2020, according to proposals agreed by Brexit negotiators.20 Nov 2018

On Wednesday evening, the UK government and European Commission announced that the UK and EU27 countries had reached a draft agreement on the terms of the UK's withdrawal from the EU (585-page / 1.44MB PDF). That draft agreement, which is still to be ratified by the UK parliament and EU27 member states, was published alongside a number of other documents, including an outline of the political declaration on the future EU-UK relationship (7-page / 110KB PDF).

According to the political declaration, the Commission will assess UK data protection standards on the basis of the EU's "adequacy framework" with a view to adopting an 'adequacy' decision "by the end of 2020". Over the same period, the UK will "take steps to ensure comparable facilitation of personal data flows to the Union", it said.

While the political declaration indicates that a mutual EU-UK 'adequacy' arrangement could facilitate the flow of personal data between the EU and UK after 2020, the draft withdrawal agreement outlines what protections should apply to the UK's processing data about data subjects outside of the UK prior to the end of the Brexit transition period and after that period in circumstances where a future adequacy arrangement is not in place. The distinction between pre- and post-Brexit data processing was foreseen by Pinsent Masons, the law firm behind Out-Law.com, last month.

According to the draft withdrawal agreement, the Brexit transition period would last from the scheduled time of Brexit on 29 March 2019 until 31 December 2020, although it could be extended beyond that date should the UK request an extension prior to 1 July 2020.

Currently, personal data can flow freely between the UK and the rest of the EU as the UK is an EU member state and the intra-EU data transfer arrangements organisations put in place are subject to EU data protection laws. That is set to change with the UK set to end its EU membership.

EU data protection law places restrictions on the transfer of personal data outside the European Economic Area (EEA). Businesses are prohibited from transferring personal data to non-EEA countries unless they  have in place one of a number of safeguards to ensure EU data is adequately protected when processed in those 'third' countries.

One mechanism which has helped to facilitate the free flow of personal data between organisations in the EU and non-EEA jurisdictions is the adequacy framework. That provides the European Commission with powers to designate non-EEA territories as having data protection standards in place that are essentially equivalent to those provided for in the EU. To-date, the Commission has issued adequacy decisions for 12 territories, including the US, Canada, Switzerland and New Zealand, and it is in the process of adding Japan and South Korea to that list.

According to the draft withdrawal agreement, EU data protection laws will apply to the UK's processing of non-UK individuals' data during the Brexit transition period, unless an adequacy agreement has been introduced before the transition period ends to supersede those provisions.

In addition, EU data protection laws will continue to apply to the UK's processing of non-UK data subjects data after the Brexit transition period ends if that data continues to be processed under the terms of the agreement, including potentially if no future arrangements, such as an adequacy agreement, have been implemented.

The UK government referred to the data processed in both scenarios as existing 'stock' of personal data in an 'explainer' document (56-page / 260KB PDF) it has published alongside the draft withdrawal agreement which provides further clarification on the protections that will apply.

"EU law will continue to apply to the 'stock' of personal data until adequacy decisions have been granted, after which time UK domestic rules on personal data protection will apply," the explainer paper said. "In the unlikely event the UK subsequently lost those adequacy decisions, the UK would apply data protection standards which are 'essentially equivalent' to those in the EU and the 'stock' of personal data would be held in accordance with UK domestic law."

The EU27 have committed under the draft withdrawal agreement not to treat data obtained from the UK any differently to data from EU member states during the Brexit transition period or thereafter where the data is obtained on the basis of the withdrawal agreement.

Other welcome news for businesses is that under the terms of the draft withdrawal agreement, organisations in the UK should continue to be able to rely on adequacy decisions and EU model clauses for affecting international transfers, at least during the transition period.

Enforcement of GDPR matters will change even under the withdrawal agreement. The Information Commissioner' Office (ICO) will no longer be part of the European Data Protection Board, and will no longer be able to act as a lead authority in cross-border processing issues affecting more than one EU country. Businesses that process personal data in the UK and in EU countries may have to deal with the ICO for the UK processing activities and designate a 'main establishment' in an EU country for their EU processing activities.

This also begs the question whether a controller would be liable to investigation by the ICO and by the EU 'lead authority' for the same processing activities. In those circumstances there would be two investigations relating to the same processing activities, and so it is unclear whether the ICO would ensure that its decision is in line with a decision of a the EDBP.

Further, if a company has a binding corporate rules (BCR) application with the ICO, the ICO would no longer be able to act as the lead authority for that application. Discussions should be commenced with the ICO to make arrangements for progression of any pending applications.

Brexit advisory expert Guy Lougher of Pinsent Masons, the law firm behind Out-Law.com has said that businesses must continue to plan for a range of possible outcomes around the UK's withdrawal from the EU despite the publication of the documents on Wednesday.

Latest EU data protection regulation News & Guides