Information Commissioner Elizabeth Denham looks at the data protection aspects of the recently agreed UK-EU trade agreement.
22 January 2021
The digital world has few borders. When a woman in Manchester watches a video clip on her phone, it’s likely that the delivery of that video clip content to her is because of personal data. She can be accessing content made anywhere in the world and targeted to her based on a personal profile, on an app designed in Japan, with her personal data held on servers in the US, and backed up in Finland. And that’s before we consider the international personal data ecosystem behind the advertisements that appear alongside the content.
The digital world, or more specifically the flow of personal information around the world, plays a role in everything from employee information to catching criminals, and from medical research to investing in pension funds.
International agreements are the crucial foundations to so much of the digital innovation we take for granted.
That is why the data protection aspects of the recently agreed UK and EU Trade and Cooperation Agreement (TCA) were so important. The TCA contains both short term provisions, allowing data to continue to flow from the EU to the UK, and long-term commitments, such as to maintaining high standards of data protection.
High standards and co-operation
I must begin by welcoming the commitment by both the EU and UK to ensuring a high level of personal data protection, and to working together to promote high international standards.
As envisaged by the TCA, I look forward to developing a new regulatory relationship with European data protection authorities, sharing ideas and data protection expertise and co-operating on enforcement actions where appropriate. As evidenced by our work globally, regulatory cooperation remains key to ensuring we can protect the public’s personal data wherever it resides. The ICO will also continue to develop its international strategy.
Data flows: short term bridging provisions and adequacy
The TCA contains an important safety net, allowing transfers of data from the EU to UK to continue without restriction for four months whilst the EU considers the UK’s application for adequacy. This is the usual mechanism used by the EU to allow for continued data flow with third countries. This is very welcome news and was the best possible outcome for UK organisations given the risks and impacts of no adequacy. This bridge contained within the TCA will provide a legally robust mechanism that can give UK organisations confidence to continue digital trade in the coming months.
The EU has committed (in a Declaration alongside the TCA) to consider promptly the UK’s adequacy application. The Government is taking the lead on that process, with the ICO providing independent regulatory advice when appropriate. We’ll publish more details in due course as the outcome of the adequacy process becomes clear.
Whilst we wait for an adequacy decision, any new UK adequacy regulations, standard contractual clauses or ICO approvals of international transfer mechanisms, must be put before the EU–UK Partnership Council (the PC). And the UK must notify the PC, as far as reasonably possible, of any new international agreement between public authorities for international transfers. Should any UK public authority be intending to enter into such an agreement, it should notify the Department for Digital, Culture, Media and Sport (DCMS).
Of course, there is no guarantee that the EU will grant the UK an adequacy decision and businesses should continue to take sensible precautions for any eventuality. Our website has details of the safeguards businesses can put in place now, to ensure data continues to flow even without an adequacy deal and how to identify data received from the EU prior to 1 January 2021 which may become subject to a separate data protection regime. As with so much good data protection practice, preparation is key: data flows are too important not to protect.
Data flows: keeping us safe
Our police and other law enforcement authorities, in the UK and EU, rely on sharing information with each other to prevent, investigate and prosecute crimes, and ultimately to keep us all safe.
Part three of the TCA sets out detailed provisions allowing data sharing for law enforcement. It includes arrangements for the transfer of DNA data, fingerprints, palm vein, vehicle registrations and Passenger Name Record (PNR) data. It also allows for the UK to access data from EUROPOL and EUROJUST. Part three also contains important commitments to key elements of data protection and for the ICO to be consulted about data protection assessments related to PNR data.
I welcome the provisions in the TCA which bake-in the importance of high standards of data protection and international data flows for UK citizens and for the UK economy – they keep us safe, they support our economy, they keep us connected. In our ever-innovating, inter-connected world, my role is to make sure that data flows continue, and continue to protect UK citizens, so they can continue to enjoy digital services underpinned by a seamless flow of data.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.