The UK–EU Trade and Cooperation Agreement, the long-awaited Brexit trade deal was announced on 24 December 2020.
In an interview with the Daily Telegraph published on Boxing Day, the Prime Minister, Boris Johnson, said that the 1,200 page treaty included provisions that made it a "good deal for digital."
So, in what ways is the deal good for the digital sector and for digital agencies? Does it go far enough? And are there any hidden hazards in there?
This is a short update on what the Brexit deal means for data, and follows on from our previous blog about data and the end of the Brexit transition period.
This update is particularly focused on what this means for UK agencies who have a digital component to their service offering, in particular where that includes managing personal data under GDPR.
What does the Free Trade Agreement say about data?
Data flows, storage, and processing
Firstly, both sides, the UK and the EU, have reaffirmed their commitments to maintaining data flows across the UK–EU border. The UK had already asserted that it would allow EU data to flow into the UK, and the deal affirms that data flows from the UK to the EU will be maintained.
Related to that, the deal also explicitly prohibits either side from imposing requirements on where or data is stored, or the locations in which data is processed.
Both of these are good news for agencies — there is no immediate demand being made to move data or change processing systems or practices, removing a potential area of anxiety or cost increases.
There are also reciprocal commitments to maintain high standards on data protection and privacy for personal data.
This is good news, though not revolutionary given that UK digital businesses have needed to maintain and demonstrate GDPR compliance for a while now.
The big gap: no data adequacy ruling
The most important aspect, though, which we raised in the previous blog about data and the end of the Brexit transition period, is about data adequacy.
The deal does not include a statement on adequacy — whether the UK's data protection regime offers an equivalent protection to that experienced in the EU.
This is not wholly surprising as data adequacy was never a subject for the Trade and Cooperation Agreement negotiations themselves. It is a matter solely for the EU, and depends on a ruling from the European Court of Justice (ECJ).
The UK was being assessed on its data protection provisions during the transition period, but the outcome of that assessment has not not been announced, with no consequent ECJ ruling.
With this scenario becoming apparent, the UK and EU signed a joint declaration to sit alongside the trade deal and act as a temporary bridge, for a period of up to six months, to maintain the current conditions for data flows and data protection. The EU is committed to making that assessment of data adequacy during this bridge period.
During this interim period, UK digital businesses do not need to fall back to adding additional clauses to contracts, as we previously outlined, to maintain data flows from the EU to the UK.
However, once the EU data adequacy decision is made businesses may indeed need to take those measures, depending on the outcome.
In other words, this is not a data cliff edge — there is a temporary reprieve, pending the data adequacy ruling.
Actions for agencies:
There are then two potential actions for agencies:
1) Should the ECJ's ruling grant the UK's data adequacy, no further action needs to be taken.
2) If the UK's data protections are ruled inadequate, either in part or in full, then the remainder of the interim period will give UK businesses time to implement alternative legal provisions, such as adding standard contractual clauses to existing contracts.
Note: data adequacy is contingent
One final comment is worth making.
Data adequacy is not a static thing — it can be withdrawn by the EU in the same manner as it is granted.
If the UK, as it has indicated it intends to do in other areas, decides to diverge from the EU's data protection regulations, or there are changes to other aspects of UK law that may impinge on data protection in the UK, then the EU will reassess the UK's data protection regime and its legislative framework in the round and determine whether it continues to give adequate protection to the personal data of EU citizens.
A later re-assessment, then, may withdraw data adequacy.
That creates an ongoing degree of uncertainty for UK digital businesses.
As a leader of a digital agency, be aware.
This blog is a follow-up to the longer Board Brief paper on what the end of the Brexit transition period means for agencies in the UK. Subscribe to Agency Radar for access to the full paper.
Photo by KOBU Agency on Unsplash