The United Kingdom (‘UK’) has come to the end of the withdrawal period and has left the European Union (‘EU’). Its relationship with the EU is now determined by the EU-UK Trade and Cooperation Agreement (‘TCA’).
Personal data can flow between countries within the EU and the European Economic Area (‘EEA’) freely. However countries outside of the EU and EEA are known as ‘third countries’ for the purposes of data protection. If a third country is given an ‘adequacy’ decision by the European Commission, it means that the country has been found to provide an adequate level of protection of personal data that is essentially equivalent to that found within the EU, and data can be transferred without any further action. However, if a third country does not have adequacy, personal data can only be transferred if one of the permitted mechanisms in the GDPR are used.
Data Transfer from the EU/EEA to the UK
Whilst the TCA provides some agreement within the scope of digital trade, intellectual property and public procurement, it does not provide for the adequacy of the UK’s data protection regime. The TCA does however include a period of 6 months for transfers of personal data from the EU/EEA and UK to continue as ‘transmissions’ as opposed to data transfers to a third country, while the European Commission considers the UK’s application for an adequacy decision. This has relieved pressure on organisations to make immediate arrangements to rely on a permitted mechanism for transferring data from Europe to the UK.
Data transfer from the UK to EU/EEA/Adequate Country
The UK has also incorporated the current EU adequacy decisions into law so that any transfers of personal data occurring from the UK to the EU/EEA, and between the UK and a third country with EU adequacy, do not at present require the use of one of the other mechanisms. Those countries, territories, sectors and institutions that presently have an EU adequacy decision will continue to be adequate in the UK unless or until the Secretary of State makes changes through future regulations.
Data transfer from the UK to a Third Country
The UK GDPR contains the same data transfer mechanisms as the GDPR to enable transfers between the UK and third countries. The Secretary of State will be able to make ‘adequacy regulations’ under Section 17A DPA 2018, which will confer adequacy where the protection of personal data is ‘essentially equivalent’ to that in the UK.
The ruling of the Court of Justice of the European Union (‘CJEU’) in the so-called ‘Schrems II’ case (see my previous blog article here) is still applicable in the UK, which means that transfers using Standard Contractual Clauses (‘SCCs’) will need to be reviewed. The EU-US Privacy Shield was also declared invalid in that ruling and will require the use of an alternative mechanism to transfer data from the US to the EEA, or to the UK.
In Schrems II, the CJEU ruled that data transfers under GDPR Article 46(1) and using SCCs, must be interpreted as meaning that the requirements of appropriate safeguards, enforceable rights and effective legal remedies must ensure that data subjects are given a level of protection essentially equivalent to those guaranteed by the GDPR. SCCs remain a valid mechanism, but as they do not bind public authorities in third countries who may access the data, there need to be supplementary measures to ensure equivalent protection.
This ruling affects for example, transfers to cloud services providers or other processors which require access to the data without encryption or pseudonymisation, and where remote access to personal data is required by a business. The European Data Protection Board (‘EDPB’) has published recommendations on supplementary measures that organisations can implement, with examples in Annex 2 (available here).
THE STATUS OF EU LAW
The position of EU law in the UK
The European Union (Withdrawal) Act 2018 (the ‘Withdrawal Act’) saves EU law as it applied to the UK at the end of the transition period. This is known as ‘retained EU law’ and has been introduced so that the large proportion of UK law that is based on EU law does not need to be replaced immediately. The General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and the Privacy and Electronic Communications Regulations (‘PECR’) continue to apply in the UK as retained EU law. Once any new data legislation is created, this will take precedence over retained EU law.
The Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020 (‘Exit Regulations’) amend the GDPR, the Data Protection Act 2018 (‘DPA 2018’) and the PECR to enable them to operate in the UK now that we are no longer part of the European Union. For example, removing references to ‘Member State law’ and ‘the Union’. The Exit Regulations create the ‘UK GDPR’ which will operate as standalone legislation.
The Exit Regulations make hundreds of changes to the GDPR and to the DPA 2018. These changes have been consolidated into two Keeling Schedules (available here), and these should be referred to until a consolidating act is introduced in the UK. The UK GDPR is predominantly unchanged from the GDPR that applied up until the end of the withdrawal period. The TCA’s 6-month reprieve for data transfers is predicated on the UK’s data protection legislation remaining as it was at the end of the withdrawal period.
The UK GDPR, like the GDPR, has extra-territorial effect. It will apply to controllers and processors of the personal data of individuals in the UK that offer them goods and services, or monitor their behaviour, whether or not those controllers or processors are established in the UK. Such organisations will be required to designate a representative in the UK. The GDPR will also apply to those organisations that come within its reach under GDPR Article 3 and it may be necessary to appoint a representative in the EEA. The potential fines imposed by the UK GDPR for a data breach is equivalent to that in the GDPR.
The Interpretation of EU Law
According to section 6(3) of the Withdrawal Act, the interpretation of retained EU law is in accordance with retained case law, that is, both domestic UK case law and case law from the CJEU up until the date the UK left. Article 71(1) of the EU-UK Withdrawal Agreement requires UK organisations to continue to apply the GDPR (not UK GDPR) to data received from the EU/EEA before the end of the withdrawal period (so-called ‘legacy data’) and personal data processed in order to comply with legal obligations under the Withdrawal Agreement.
Legacy data will be treated in accordance with the GDPR as it stood when the withdrawal period ended at the end of 2020. This means the GDPR will be ‘frozen’ in time for legacy data. The ‘frozen GDPR’ will be interpreted with regard to CJEU case law both past and future. If the UK is not given an adequacy decision, Article 71(1) of the EU-UK Withdrawal Agreement will continue to apply. If the UK is given adequacy, the UK GDPR will apply and the ‘frozen GDPR’ is no longer relevant.
When considering the UK GDPR, the lower courts are bound by the CJEU rulings handed down before the UK left the EU. Section 6(4) of the Withdrawal Act permits the Supreme Court to depart from retained EU case law. The European Union (Withdrawal) Act 2018 (Relevant Court)(Retained EU Case Law) Regulations 2020 permits the Court of Appeal to depart from retained EU case law.
The Charter of Fundamental Rights of the European Union (‘the Charter’) no longer applies in UK domestic law. This complicates the interpretation of data protection in the UK given the numerous cases that cite the Charter, and judgments of the CJEU that refer to the Charter. According to section 5(5) of the Withdrawal Act, “references to the Charter in any case law are…to be read as if they were references to any corresponding retained fundamental rights or principles”.
Article 8 of the European Convention on Human Rights contains the closest corresponding principle: the right to respect for private and family life, home and correspondence. However, unlike the Charter, it does not treat the right to privacy and the right to data protection as separate rights. Whilst there has been some connection made between the two in cases in the European Court of Human Rights, the scope of the relationship is not clear. Over time it is inevitable that there will be differences between the EU approach and the UK approach to data protection and privacy.
At present, in practical terms, nothing significant has changed in data protection in the UK and the GDPR has for all intents and purposes been incorporated into UK law. An adequacy decision in the UK’s favour will make compliance far simpler for organisations. In the long term, there is likely to be some divergence between the UK GDPR and the GDPR as the case law develops, although this is unlikely to be substantial. If granted adequacy, any significant deviation would put that decision at risk.
However, as a cautionary note, it is not guaranteed that the UK will be given an adequacy decision by the European Commission. The Information Commissioner has recommended that UK organisations that receive personal data from the EU and EEA put in place alternative transfer mechanisms in case the UK is not given adequacy.
If you would like any further information or advice, I can be contacted at: firstname.lastname@example.org
 See Chapter V of the GDPR.
 Paragraphs 4 and 5 of Schedule 21 to the DPA 2018.
 Part 3, Schedule 21 to the DPA 2018.
 Article 45(2) UK GDPR.
 Data Protection Commissioner v Facebook Ireland Ltd, Maximillian Schrems, C-311/18.
 The Transition period took place between 31 January 2020 and 31 December 2020.
 Section 6(7) of the Withdrawal Act.
 See Article 3 UK GDPR.
 Article 27 UK GDPR.
 Article 83 UK GDPR and Part 6 DPA 2018.
 See sections 6(3) and 6(7) Withdrawal Act.
 Section 5(4) Withdrawal Act.
 See also Article 4(28) UK GDPR.
 See ICO statement: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/12/ico-statement-in-response-to-uk-governments-announcement-on-the-extended-period-for-personal-data-flows-that-will-allow-time-to-complete-the-adequacy-process/