Despite Brexit Deal, UK Data Transfers Remain in Limbo

Just before Christmas, United Kingdom (“UK”) and European Union (“EU”) negotiators reached an agreement on the UK’s exit from the EU. That agreement, however, did not resolve the status of data transfers from the EU to the UK, and, instead, extends the status quo for up to six months while the European Commission evaluates the “adequacy” of the UK’s data protection laws. This temporary reprieve is a welcome alternative to a sudden imposition of new data privacy requirements, but companies should carefully monitor developments in this volatile area.

Article 44 of the General Data Protection Regulation (“GDPR”) generally prohibits the transfer of personal data outside the European Economic Area. With the UK’s exit from the EU, data transfers to the UK may only be conducted pursuant to certain data transfer mechanisms. One such mechanism is a determination by the European Commission that the UK “ensures an adequate level of protection” for EU personal data. The UK has been pursuing an “adequacy decision” for some time, but the determination remains outstanding, in part due to the Schrems II decision by the Court of Justice of the European Union (“CJEU”) in July 2020.

As we previously addressed, the Schrems II decision invalidated the EU-US Privacy Shield (“Privacy Shield”), a mechanism by which companies transferring data from the EU to the United States could demonstrate that they were providing data protection equivalent to the GDPR. In striking down Privacy Shield, the CJEU determined that United States surveillance laws did not allow the United States to provide an essentially equivalent level of data protection as guaranteed by the GDPR.

The Schrems II decision is relevant to the UK because as of January 1, 2021, the UK can no longer avail itself of provisions in the GDPR that exempt the processing of data for public security, defense, and national security from its scope. The UK has a sophisticated and robust intelligence apparatus, which may raise the same concerns that the CJEU had with United States surveillance. As the European Commission evaluates the UK’s adequacy, it will need to consider whether UK surveillance laws undermine the ability of the UK to provide protection equivalent to the GDPR.

It will be important to follow these developments closely for at least two reasons. First, it is entirely possible that the European Commission will determine that the UK is not adequate, thus forcing companies to scramble to find alternative mechanisms by which to transfer their data, such as Standard Contractual Clauses and Binding Corporate Rules.

Second, if the European Commission determines that the UK is adequate, it may provide a blueprint for the United States to overcome the deficiencies identified by the CJEU in Schrems II. United States and European officials are already negotiating the successor to Privacy Shield, and it may be that the timing and outcome of those negotiations turn on the European Commission’s resolution of the UK adequacy question. It is worth noting that the European Commission signed off on both Safe Harbor and Privacy Shield, only to have both agreements undermined by CJEU decisions. Consequently, a positive adequacy decision may not guarantee smooth sailing for the UK.

In the meantime, while the European Commission evaluates adequacy, and the status quo remains in place, companies should continue to follow existing practices for data transfers from the EU, even if they involve the UK. Whether or not the European Commission reaches a favorable adequacy decision, upon resolution, the UK will supplement its current Data Protection Act by incorporating the requirements of the GDPR into a UK GDPR. The rights and obligations will be substantially the same, and companies operating in both the UK and the EU will need to satisfy both regimes.

If they have not done so already, companies should take this extra time to ensure they are prepared to respond once the European Commission makes an adequacy decision. This includes evaluating the scope of their presence and services provided in the UK, mapping data flows from the European Economic Area to the UK, determining whether a separate data representative is needed for both the UK and the EU, designating a new lead supervisory authority for GDPR compliance if the UK is the existing designated lead supervisory authority, and updating policies and agreements regarding data transfers.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Lisa Monaco, an O’Melveny partner licensed to practice law in the District of Columbia and New York, Michael R. Dreeben, an O’Melveny partner licensed to practice law in the District of Columbia, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California, and John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.