Explaining adequacy; personal data transfers to the EEA under no deal
Transfering personal data from to the EEA will become harder under no deal, here techUK explains why, and the next steps the UK should take.
In the event of no deal the UK will need to seek an adeuqacy agreement with the EU to allow business to transfer personal data to the EEA without extra regulatory burdens. Here we exlain the impacts of no deal on data and why the UK should prioritise an adequacy agreement with the EU.
How is personal data transferred while in the EU and what happens under no deal:
As a member of the EU the UK enjoys access to the EUs common framework for data protection. Underpinned by GDPR this allows businesses to transfer personal data within the EEA and between the 13 other countries the EU has full or partial adequacy agreements without having to provide extra reassurances, known as ‘appropriate safeguards’.
In the event the UK leaves the EU without a deal the UK will lose access to this common data protection framework at the point of exit. 23.00GMT on 31 October.
As a result, UK businesses which exchange personal data with businesses in the EEA will have to ensure these ‘appropriate safeguards’ are in place to transfer data in a manner that complies with GDPR rules, for example inserting Standard Contractual Clauses (SSCs) into contracts or applying Binding Corporate Rules (BCRs).
To prepare for no deal, business will therefore have to examine their data flows and take the extra steps needed to ensure that when transferring data, they are not penalised by data protection authorities. ICO guidance on apropriate safeguards can be found here.
Countries can be granted adequacy by the European Commission (EC) if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. This requires an assessment by the European Commission.
Receiving a full adequacy decision will allow personal data to be transferred to and from the EU in a similar manner as is done now. If the EC won’t grant a full decision, partial adequacy decisions can be granted allowing certain sectors or registered companies to transfer data. For example, the EU has a partial decision with Canada and with the US through the Privacy Shield Framework.
The European Commission has set out that it will not begin its assessment of the UK until it is a third country. Under the withdrawal agreement the UK could have applied during the transition period while still maintaining access to the EU’s common data protection framework. However, in the event of no deal the UK will need to apply once it has lost access.
How is the adequacy decision made?:
The process requires the third country (in this case the UK) to request the EC to make an assessment. This is then followed by a proposal from the European Commission, an opinion of the European Data Protection Board, approval from representatives of EU countries and the adoption of the decision by the European Commission following an investigation.
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision if in their view the EC exceeds the implementing powers granted to it in EU law.
This creates multiple friction points where the UK’s progress to an adequacy decision could be halted by legal or political hurdles.
The UK will also not necessarily be ‘front of the queue’, as existing adequacy talks are ongoing between the EC and South Korea.
How long could the adequacy decision take?:
The shortest time an adequacy decision was completed was in 18 months (with Argentina).
While the UK has said that it will continue to apply GDPR, therefore in theory speeding up an adequacy decision because the UK and the EU apply the same data protection laws, the UK’s case is unprecedented and there may be problems which arise due to a member exiting the framework that speed up or slow down an adequacy decision.
The UK’s security services will also come under scope in this decision, where as a third country the actions of UK security services such as GCHQ would factor into any adequacy decision the EC may make. The main potential problem is the UK’s Investigatory Powers Act 2016, which allows for broad interception, interference and communications acquisition powers. This Act may contravene the human rights element which the GDPR is based upon risking the ability of a fast adequacy decision.
Further to this any proposed changes to UK data protection rules may slow down the progress of an adequacy decision. For example, some have argued that leaving the EU offers an opportunity to diverge from GDPR. While other countries with full or partial adequacy decisions do not apply GDPR, changes to the UK’s data protection laws in the period where it is being assessed could result in the EC having to reset or review parts of its assessment, increasing the time it takes to grant adequacy.
Similarly, were the UK to put changes to data protection rules on the table in any trade negotiations, proposed changes to rules during the negotiation or the simple fact that these are in scope could slow down the decision-making process.
What should the UK Government do?:
Transfers of data are hugely important to the UK economy with data driven services increasing productivity and innovation. The McKinsey Global Institute estimates that cross border data flows accounted for 3.8% of global GDP. In an advanced services driven economy such as the UK, cross border data flows are likely to make up a much bigger proportion of GDP than that.
43% of total UK exports are services-related with more than one- third of these trade flows with European partners and the majority of trade in services are underpinned by cross-border data flows. Therefore, interruptions to data flows and extra requirements on business to allow them to continue to transfer personal data will have a large impact on the UK economy.
In techUKs discussions with members extra safeguarding measures such as SSC’s and BCRs are seen as a useful relief in the event of no deal. However large companies are significantly more likely to have applied these due to their size and resources with smaller companies less likely to have done so.
In techUK’s last survey of members in December 2018 65% of small and 46% of medium sized business had not taken any active steps to prepare for a no deal exit on 29 March 2019. With 30% of small businesses having not taken any active steps to prepare because they lacked the resources to do so. This compared to just 8% of large businesses who had not taken any steps.
Even for larger business who have prepared by seeking to implement ‘appropriate safeguards’ there are concerns over the long-term sustainability of these safeguards due to a history of EU alternative privacy arrangements being struck down in court, for example the EU/US Safe Harbour Agreement. Currently SSCs are under in scope in the Schrems II ECJ case, due to be resolved early next year. This case has the potential to invalidate SCCs as a method to transfer data to/from the EEA outside an adequacy decision.
In the event of no deal techUK strongly encourages the UK Government immediately request an adequacy assessment and to prioritise receiving a full, positive adequacy decision from the EC at the earliest opportunity. This should be prioritised above attempts to enact significant reforms of UK data protection rules and changes to these rules resulting from trade negotiations.
techUK has significant concerns that a failure to achieve a timely adequacy decision will mean that UK business face a significant competitive disadvantage when compared with firms in the EEA or the 13 countries with full or partial adequacy decisions. An adequacy decision from the EU is the only way to guarantee that data can continue to be transferred without major interruption and to provide business with certainty on how to sell services and products to our closest partners without an increased risk of failing to meet data protection standards.
In the event of a protracted decision-making process UK companies will have to provide extra certainty over their data protection arrangements to reassure potential customers that rules are not being broken. The legal uncertainties resulting from overnight changes in the rules after no deal, the potentially spotty application of SCCs and BCRs and the possible invalidation of some ‘appropriate safeguard’ mechanisms in court means UK companies and their business partners could face a moving feast of regulatory requirements increasing the risk of being fined by data protection authorities.
For any businesses which have concerns regarding transfering personal data to and from the EU in the event of no deal, please see the ICO's guidance for business here.
Latest News from
Building the future we need - a levelled up economic recovery27/05/2020 16:25:00
Summary of the North East Regional Conversation – Friday 22 May.
Versatile defence software helps to combat the COVID-19 pandemic27/05/2020 13:33:00
Guest blog: Lead Sales Engineer, Tage Lund, talks about how Systematic’s defence solutions have proven to be versatile and suitable in the efforts to stop the COVID...
techUK webinar series on human rights & sustainability27/05/2020 11:25:00
techUK is holding a series of webinars on human rights and sustainability issues in June.
Enabling COVID-19 research27/05/2020 09:33:00
Guest blog: Suzy Foster, CEO, EMIS Health discusses the importance of patient data to help researchers develop a deeper understanding of the COVID-19 pandemic.
Introducing the NHS COVID-19 Text Messaging Service26/05/2020 16:25:00
Guest blog: Dr James Graveston, Solution Consultant at Valtech discusses their involvement in developing the new NHS COVID-19 text messaging service.
Application form: Future Borders Innovation Den26/05/2020 14:38:00
techUK is working with the Government’s Future Borders Programme to deliver a series of Innovation Dens.
Welcome to techUK’s Data Analytics Week!26/05/2020 13:33:00
Today marks the beginning of techUK’s first ever Data Analytics Week- highlighting the opportunities and benefits of data analytics across different sectors and...
Connect to protect: TEC solutions for the COVID-19 crisis26/05/2020 10:05:00
Tunstall has always played a pioneering role in helping to protect some of the most vulnerable people in our society, using technology to enable them to get help in an emergency 24 hours a day, and to monitor and manage their health in a community setting. In recent weeks we have been focused on working with our customers help them continue to deliver their services during the COVID-19 pandemic, and to introduce new solutions to support individuals during the outbreak.
New Lawtech Sandbox increases the UK’s offer on tech innovation26/05/2020 09:05:00
Plans for a new Government backed Lawtech Sandbox have been unveiled. The new sandbox is inspired by the success of the Financial Conduct Authority’s (FCA’s) regulatory sandbox, which was launched in 2016 becoming a key driver of the UK’s world leading fintech ecosystem.