Since the 1st of January 2021, the United Kingdom (UK) is no longer subject to European Union (EU) laws, as the Brexit transitioning period came to an end. After years of turmoil as to how Brexit was to take place, an agreement was (finally) struck, with the emergence of the UK-EU Trade and Cooperation Agreement (hereafter the 'Agreement'), which was a relief for many. Reaching it was not only vital for trade between the UK and the EU, but it was also of great importance for the transfer of data. Since the UK has left the EU, this Agreement has been used as the basis for the legal transfers of personal data. [1] On that note, it is only meant to serve as an interim solution.[2]
Until the 30th of June 2021, this Agreement or 'Bridge', as it is also called, is to be used to allow for the free flow of data between the EU and the UK, until adequacy decisions are made by the EU or, if no adequacy is found, until this Bridge expires.[3] However, issues relating to data transfers still remain; notably, how trade, in this domain, is to play out in the long-run between both parties, now, that Brexit has taken place, as the EU possesses the strongest privacy and security legislation worldwide.[4]
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) was enacted by the EU in May 2018, and it imposes many stringent obligations on data collectors and processors concerning how they use, collect, store and transfer personal data. The enactment of the GDPR was significant, as this piece of legislation is a 'Regulation', which means that all EU member states must apply the law as it stands into national law, with no possibility to tweak it to best fit domestic functioning.
Article 1 of the Regulation explains what the GDPR is, notably that it 'lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data'[5]. Paragraph 2 of Article 1, also, outlines the regulation’s aim at protecting individual’s personal data.[6] Hence, not only does it create harsh obligations for entities involved in collecting data, but it also establishes digital rights for EU citizens. It is to be applied whenever data is being processed for any reason which is not for personal use.[7]
The GDPR is notable for its multipurpose character whereby it includes a list of principles which are to be abided to when processing personal data,[8] the rights that data subjects may benefit from,[9] and importantly the various responsibilities and obligations that data controllers and data processors must abide to[10]. It is significant to note that the GDPR also ensures for the lawful processing of data, hence Article 6 establishes a list of grounds upon which a data controller or data processor must base themselves on to be acting within the ambits of the law.[11] All these sections, which are forming this legislation, are what allow the EU and its member states to have a strict privacy and data protection framework.
However, as this body of law leaves very little room for compromise, it is also what makes it very difficult for countries outside of the EU to process EU citizen’s data as these are often more lenient. The question looming over Brexit is what will happen to UK entities who transfer data from the EU? Will they be allowed to continue to transfer EU citizens data if this legislation is no longer applicable to the UK?
Brexit and Data Protection
Before Brexit, the regulation of data transfers, data storage and data processing was controlled by the General Data Protection Regulation (GDPR). The GDPR is an EU piece of legislation, therefore, it no longer applies to the UK. As data is now recognised to be an important 'good' which can be traded, it is imperative to have a comprehensive framework to regulate how such trading is to take place. Instead of getting rid of this very far-reaching piece of legislation completely, the UK had decided to incorporate it into national law. In 2018, when the GDPR came into effect, the UK created the Data Protection Act 2018 which incorporated the entirety of the GDPR into UK national law. Even though the UK may no longer be a member of the EU, this highly protective data protection regulation has been successfully implemented into UK law and will therefore continue to apply.
An additional legislation was implemented on the 1st January 2021, known as the UK GDPR which reflects the law found in the EU’s GDPR until that date.[12] Additionally, in the agreements made between the EU and the UK, it was also agreed that a 'Frozen GDPR' , which reflects the EU GDPR as it stood on the 31st of December 2020, would be preserved and would be used by UK firms and other entities to regulate the use, storage, processing and transfer of EU personal data.[13] This piece of frozen legislation will always remain the same, even if either the EU GDPR or the UK GDPR were to be amended.[14] However, an adequacy decision between the EU and the UK still remains to be determined, even with this agreement in place, in order for the EU to ensure that with this system, EU citizens’ rights will continue to be enforced to the same extent as within the EU, and vice versa.
What is adequacy and why is it important?
When the EU decides that there is adequacy between itself and another country outside of the EU, it means that it finds that the legislation in a particular domain of the third country’s domestic law provides sufficient protection similar to that of the EU.[15] In the domain of data protection, a positive adequacy decision is important as it would allow for the free flow of data between the UK and the EU to continue without having to establish new safeguards.[16] Currently, the UK is still waiting for such a decision to be made as it would allow the Bridge to end, and a proper legal basis would be established to continue data transfer practices.[17]
An adequacy decision made in the affirmative is preferable as this would allow data to flow, as it had done prior to Brexit, without companies and other entities having to abide by new laws and regulations. Until now, the European Commission in its draft decisions has found the UK to be adequate, however, this finding still needs to be evaluated by the European Data Protection Board and a committee made up of the entirety of the EU member states.[18] In the next few months, a final adequacy decision will be made and hopefully, this will allow for a continued swift transfer of data between the EU and the UK.
Concluding remarks
Although the UK has now left the EU, it seems as though what many lawyers thought would be a total nightmare is slightly less daunting, with the UK and the EU being capable of coming to terms in certain domains. In the area of data protection, as the UK had been very keen to implement and be compliant with the GDPR, it has facilitated the transition into this new 27-member state EU reality.
As the UK remains willing to apply this law, and with the UK-EU Trade and Cooperation Agreement having finally come into fruition (after years of doubt as to whether a deal would actually be possible) it seems conceivable to imagine a common playing field between the EU and the UK concerning data transfers, controlling and processing. Hopefully, an adequacy decision will soon come to light to confirm that the UK can continue the same cooperation with the EU, as it always has done in the area of data transfers.
Endnotes
[1] European Commission ‘Brexit’ (European Commission Website) accessed 11th March 2021. [2] Ibid. [3] Information Commissioner’s Office ‘Information rights after the end of the transition period – Frequently asked questions’ (International Commissioner’s Office) accessed 11th March 2021. [4] GDPR.EU ‘What is GDPR, the EU’s new data protection law?’ (GDPR.EU) accessed 11th March 2021. [5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 1(1). [6] Ibid. Article 1(2). [7] European Commission Website, ‘What does the General Data Protection Regulation (GDPR) govern?’ (European Commission Website). [8] (N5) Article 5. [9] Ibid. Chapter 3. [10] Ibid. Chapter 4. [11] Ibid. Article 6. [12] Information Commissioner’s Office ‘About the DPA 2018’ (Information Commissioner’s Office) accessed 12th March 2021. [13] (N3). [14] Ibid. [15] Ibid. [16] Ibid. [17] Ibid. [18] Ibid.