The Privacy Impact of the New Brexit Deal

On December 24, 2020, the European Commission (EC) and UK government announced the long-awaited EU-UK Trade and Cooperation Agreement (the Brexit Agreement), which sets out the future relations between the EU and the UK. If approved, the Brexit Agreement will become effective on January 1, 2021, and will have the following repercussions:

1. Free flow of data between the EU and the UK for the next four to six months. During the Brexit negotiations, the parties failed to reach an agreement on the UK’s data protection status. Therefore, the Brexit Agreement contains an “interim provision” that allows for a temporary free flow of personal data between the EU and the UK. This interim period is four months, but it could be extended to six months. In practice, this means that, for the time being, companies can keep transferring personal data between the EU and the UK without the need to put additional data export measures in place.

   To ensure that personal data can keep flowing between the EU and the UK during the interim period, the UK must keep in place its current data protection regime. During the interim period, the UK may only exercise certain designated powers with approval of the EU, such as authorizing new standard contractual clauses, recognizing the adequacy of third countries or territories, or approving new binding corporate rules.

2. The UK and the EU to abstain from adopting measures that may restrict cross-border data flows. As part of the Brexit Agreement, the EU and the UK commit not to restrict cross-border flows between the parties, e.g. through imposing data localization requirements, or prohibiting data storage in the territory of the other party. This commitment will be reassessed in three years. In addition, the EU and the UK agree not to impose customs duties on electronic data transmissions, which include electronic transmissions of personal data. Furthermore, the Brexit Agreement stipulates that the parties will uphold their current standards of data protection when processing personal data for law enforcement, judicial cooperation, and counter-terrorism purposes, as well as the sharing and transfer of passenger name records, DNA, fingerprint, and vehicle registration data.
3. Current marketing and e-privacy rules stay in place. The EU and the UK also agree that their citizens must remain protected against unsolicited marketing communications, which include the consent requirements in their e-privacy laws. This means that the marketing and consent rules currently in place will continue to be satisfactory after Brexit.
4. Parallel investigations in the UK and the rest of the EU. The ICO, the UK’s supervisory authority, will no longer participate in the GDPR’s one-stop-shop mechanism after January 1, 2021. This is in line with existing guidance from the ICO and the European Data Protection Board (EDPB). This means that companies that currently rely on the ICO as their lead authority, in particular in the context of an investigation, will need to re-assess their one-stop-shop approach to avoid being exposed to further investigations in multiple EU countries. This may include taking measures to ensure a new lead authority can be appointed.
5. Companies may need to appoint an EU or UK representative. After January 1, 2021, companies may need to appoint an additional data protection representative. Companies without establishments in the EU and the UK but doing business in both territories will need a representative in both jurisdictions. In practice, most companies will already have a representative in one of those jurisdictions, and therefore may need to appoint an additional representative in the other.
6. BCRs may require updating. As per the EDPB’s guidance issued earlier this year, organizations that have binding corporate rules (BCRs) approved by the ICO must obtain approval from another supervisory authority in the EU and amend their BCRs accordingly. Organizations with BCRs pending approval by the ICO will also need to contact their proposed new supervisory authority in the EU and provide all necessary information to demonstrate why the proposed supervisory authority is a suitable replacement for the ICO. The proposed new supervisory authority would then take over the application process and formally initiate a procedure for the approval of the EDPB.

What Happens Next?

The Brexit Agreement is scheduled to be approved by the EU Council on December 31, 2020, and by the European Parliament in early 2021. The UK Parliament will convene today, December 30, to vote on the Brexit Agreement, and is expected to approve the Brexit Agreement by the end of the day.

Companies that regularly transfer data between the EU and the UK will no doubt be relieved that the Brexit Agreement will allow for the continued free flow and storage of personal data. Part of this measure, however, is temporary and it remains to be seen if an adequacy decision will be reached in time before the expiry of the interim period. In the meantime, organizations should review whether their lead authority assessment, any ongoing investigations, or BCRs will be impacted by Brexit, or whether they need to appoint a legal representative in the EU and/or the UK.

Our EU and UK privacy and cybersecurity team is closely monitoring this topic and will provide updates when they are released.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.