On last year’s European Data Privacy Day the world looked a very different place for a variety of reasons, the primary one being the ongoing COVID-19 pandemic that continues to dramatically alter people’s everyday lives. Additionally, this time last year the UK was just days away from formally departing the European Union (EU) on January 31 2020, and starting a ‘transition’ period in which the two sides would negotiate their relationship going forward.
Although the UK would remain fully signed up to the GDPR during this 11-month period, there was significant uncertainty about how data protection and privacy would be governed in the UK in the long-term, and the affect this would have on the flow of information between the UK and EU. A year ago, Infosecurity spoke to Jonathan Armstrong, partner at Cordery, to discuss his outlook on this topic. With a new trading arrangement finally agreed at the end of 2020, Infosecurity caught up with Armstrong again to find out if there had been any clarification on the UK’s data protection stance and the issues that still require resolution.
Temporary Data Transfer Arrangement
Armstrong firstly expressed relief that a trade agreement had been struck, avoiding the dreaded ‘no deal’ scenario that had looked such a realistic prospect at times last year. In terms of data privacy, this means (for the time being at least) there is some certainty for businesses. As it stands, in practical terms, the General Data Protection Regulation (GDPR) is present in UK law, and in regard to the transfer of data from the EU and UK – an issue Armstrong emphasized in his interview last year – a temporary agreement has been struck which preserves the 2020 position for a minimum of four months, which could extend to six.
However, Armstrong is concerned that past actions of the current UK government in making dramatic U-turns and going back on agreements indicates it is capable of even scuppering this temporary arrangement. “I’m just worried that there’s no guarantees that we will get to the end of the four-month period or the two-month extension. So it’s still a period of uncertainty for businesses,” he said.
Assuming this is not the case, there will be four months – possibly six – for the EU to grant an ‘adequacy’ decision to allow EU-UK data transfers to continue easily beyond this time. Despite the UK’s deep-rooted relationship with the EU, this is by no means a given, especially bearing in mind the decision by the Court of Justice of the European Union last year to invalidate the EU-US Privacy Shield in the Schrems II case because of concerns over the ways US law enforcement agencies use personal data.
Armstrong believes politics as well as legal considerations will play a major part in this decision, noting that other countries that have already been granted adequacy by the EU give their security services “more powers and less safeguards” than the UK, such as Japan. He explained: “Some members of the European parliament are annoyed about the actions of the UK security services and will probably lobby hard for no a adequacy decision to be put in place.” Armstrong also believes that in some respects, the UK government is “on probation” for the next four to six months, with the EU assessing its behavior and willingness to stick to the temporary arrangement. “In my view, it’s on a knife-edge and will end up being a political decision, not a legal one,” he added.
“In my view it’s on a knife-edge and will end up being a political decision, not a legal one”
Even if adequacy is granted, there is no guarantee that will be the end of the matter as the Schrems case offers significant scope for privacy groups to bring proceedings to challenge such a ruling. “I think Schrems will come into play and we will see some challenges either to the temporary deal or to the eventual adequacy decision,” commented Armstrong, although he noted it is unlikely a challenge would be able to go through the whole process before the end of the four-month period.
In the meantime, Armstrong advised that businesses that rely on data transfers from the EU should start making preparations now to preserve the flow of data in light of these uncertainties. In particular, they should consider putting in place standard contractual clauses, starting with key existing providers. He said: “That will be things like HR, payroll and salesforce-type systems, and then go down the list gradually and obviously make sure they do the Schrems double-diligence test for any new providers.” Updating privacy policies to be more transparent about customer data is also highly advisable at this time, according to Armstrong.
Future Divergence from the GDPR?
While the UK in effect will continue to follow the GDPR for now, it’s departure from the EU means there is the potential for it to diverge from these rules in the future. Conversely, in the view of Armstrong, it is quite plausible that the EU will adapt the GDPR provisions in the coming years, while the UK’s position remains more or less the same. He noted that historically, the UK has been one of the most pro-business voices at the table within the EU, and without that input into discussions, the GDPR provisions may become far stricter and more onerous on organizations. One example is the length of time businesses have to report a data breach, with the original proposal of 24 hours extended to 72. “The UK was partly responsible for getting that timeline stretched out to a more reasonable 72 hours,” commented Armstrong. “Once the UK voice isn’t round that table – and we’ve been told there’s going to be some process for reviewing GDPR and toughening it up in some respects – it could be that the EU moves to 24 hours.”
The last-minute trade agreement struck between the UK and EU provided enormous relief to businesses in a number of areas, and one of these is data protection and privacy rules. However, while some certainty has been given over EU-UK transfers in the short-term, how this will manifest beyond that time is unclear at this point. In the longer-term, there is the strong possibility the UK and EU will increasingly diverge in respect of data protection rules more generally going forward. For businesses operating between these two regions, preparations for such changes must begin right now.