Find out how the UK-EU Trade and Cooperation Agreement (TCA) impacts the flow of personal data.
The UK-EU Trade and Cooperation Agreement (TCA) came into effect on 1 January 2021 and the European Commission has made a draft data adequacy assessment. Find out how this impacts the personal flow of data and what this means for your business operations.
The free flow of data underpins the modern economy and is essential to businesses in every sector, from automotive to logistics.
The European Commission has now made a draft adequacy assessment decision regarding the UK, a huge step towards securing free data flows between the two partners and a testament to the UK’s commitment to high data protection standards.
The decision must now be ratified by June, during the 6-month bridge period agreed in the TCA in which the UK will not be treated as a third country. The ICO continues to recommend that organisations take steps to prepare for a no-deal on data, in case the decision changes or takes longer than the bridge period to ratify.
The guidance on this page represents the information currently available from government. The CBI will update this page as new information is released.
Key challenges for business
What does the UK-EU TCA mean for GDPR?
The government has incorporated GDPR into UK law and cannot change its data laws during the bridge period. Businesses must continue to comply and should follow current guidance on complying with GDPR from the Information Commissioner’s Office (ICO). References to EU law and terminology in business’ documentation should have been identified and updated to reflect UK terminology upon exit.
What happens now the Commission has made a draft adequacy assessment?
The decision must be ratified before it can be adopted by the Commission. It has been issued to the European Data Protection Board for a non-binding opinion. Once the opinion is given, representatives from EU Member States must also sign off on the decision. The latter is likely to be more of a formality, but the EDPB has been known to force revisions on draft decisions. However, both the EDPB and Member States can ask the Commission to maintain, amend, or withdraw the adequacy decision at any time. Once in force, the European Commission will continue to monitor the UK data protection rules, and the adequacy decision will be reviewed every four years.
Given this uncertainty, the ICO advises that businesses take steps to introduce safeguards (outlined below) to maintain the continuous flow of data between the UK and EU even without an adequacy decision and post the 6 month bridge period.
What will happen if the UK does not receive a positive adequacy decision?
If it does not make an adequacy decision, the EU will treat the UK as a third country – meaning that UK businesses who receive personal data from Europe will need to implement new safeguards to keep data flowing. The government therefore recommends that businesses work with their EU supply chain and partners during the bridging period to identify where safeguards may be necessary.
Standard contractual clauses (SCCs) are the most common safeguard – these are standard sets of terms and conditions which the sender and receiver of personal data insert into contracts. Businesses should note the recent ruling by the European Court of Justice that obliges businesses to scrutinise SCCs much more. The European Data Protection Board has produced draft guidance for international data transfers following this ruling.
The UK previously confirmed that it would continue to recognise EU standards of personal data in the event of a non-negotiated exit, permitting UK businesses to send personal data to the EU and countries with adequacy and partial adequacy agreements (e.g. the US, Japan, and Canada) without any additional requirements.
How does the UK-EU TCA impact how businesses interact with EU authorities?
Businesses no longer benefit from one-stop-shop, which allowed them to interact with a single supervisory authority. This means that if the ICO is currently a business’ lead data protection regulatory authority but it has offices, branches, or other subsidiaries in the EU, it might need to deal with other European supervisory authorities after the end of the transition period.
If a business is based solely in the UK but offers goods or services to EU citizens or monitors their behaviour, it may need to appoint a suitable representative in Europe. They will act as the firm’s local representative with individuals and data protection authorities in the EU.
What happens to personal data transfers between the UK and adequate jurisdictions?
The EU has granted adequacy to twelve other countries, all of which (except Andorra) have said they will continue to allow uninterrupted data transfers with the UK. Further information can be found on the ICO’s website.