You might have been mistaken into thinking that the UK – EU trade talks were just about trade, well there were other issues at stake, like data protection; that’s right, data protection. Did you know that the value of personal data to the EU in 2020 is reported to have been worth €1 trillion? So, keeping it flowing across the EU and the UK has real commercial importance.
You might be wondering what this has to do with you if you are a small or medium business in the UK. Well consider if you sell goods or services into the EU; maybe your cloud-based platforms store your data in the EU? The General Data Protection Regulation was developed not only to give back
control of personal data to the people who own it, but also to allow unrestricted flow of data for commercial purposes, so any interference to that will create some economic pain.
The agreement (EU-UK Trade and Cooperation Agreement) created a temporary ‘data bridge’ (I know, but I didn’t make the term up). What this means is that there is a temporary agreement between the EU and UK, lasting 4 months from January the 1st 2021, which is extendable by 2
months. This agreement means that personal data can flow freely from the EU to the UK and the government here has already declared that data will be able to leave our shores for the EU, so in reality, no real change.
An important factor included in the agreement is the requirement, for the duration of this period, the UK cannot change its current data protection laws without the permission of the EU. Therefore, what has now become the UK GDPR (the retained 2016/679 GDPR), is the same as the EU GDPR
(except where the Data Protection Act 2018 made allowable changes) and is likely to stay that way for some time to come.
That exact mirroring of the EU GDPR means the UK is anticipating that within the 4 – 6 months, the EU will hand out an adequacy decision to the UK, meaning an ongoing unrestricted free flow of personal data. But it is not a done deal as the EU has concerns over the UK’s processing of personal
data in a national security context.
In the run-up to the end of ‘Transition’ and with the ‘who blinks first’ nature of the negotiations, I was asked by a data controller of a client of mine to sign up to a data processing agreement which required data to be stored in the EU/ EEA. Fortunately, the agreement in place now prohibits any data localisation requirements, so data of EU data subjects can still be held in the UK.
In relation to electronic direct marketing, it is also agreed that the principles of the EU and UK interpretations of the e-privacy bill (Privacy and Electronic Communications Regulations in the UK) will be adhered to, i.e., the obtaining of consent for marketing except where the ‘soft opt-in’ provision applies.
Finally, for now, what has been reinforced is that any UK organisation, which is not established in the EU, and offers goods or services there and in doing so processes the personal data of subjects within the EU, must appoint a data protection representative in the Union. There are exemptions, such as if the processing is occasional and does not include large scale processing of special category or criminal conviction data. But many organisations will have to carefully consider their obligations.
If any of this has created a question or observation, please get in touch at firstname.lastname@example.org where we will be happy to have a conversation about your specific circumstance