Information Commissioner Elizabeth Denham looks at the data protection aspects of the recently agreed UK-EU trade agreement.
22 January 2021
The digital world has few borders. When a woman in Manchester watches a video clip on her phone, it’s likely that the delivery of that video clip content to her is because of personal data. She can be accessing content made anywhere in the world and targeted to her based on a personal profile, on an app designed in Japan, with her personal data held on servers in the US, and backed up in Finland. And that’s before we consider the international personal data ecosystem behind the advertisements that appear alongside the content.
The digital world, or more specifically the flow of personal information around the world, plays a role in everything from employee information to catching criminals, and from medical research to investing in pension funds.
International agreements are the crucial foundations to so much of the digital innovation we take for granted.
That is why the data protection aspects of the recently agreed UK and EU Trade and Cooperation Agreement (TCA) were so important. The TCA contains both short term provisions, allowing data to continue to flow from the EU to the UK, and long-term commitments, such as to maintaining high standards of data protection.
High standards and co-operation
I must begin by welcoming the commitment by both the EU and UK to ensuring a high level of personal data protection, and to working together to promote high international standards.
As envisaged by the TCA, I look forward to developing a new regulatory relationship with European data protection authorities, sharing ideas and data protection expertise and co-operating on enforcement actions where appropriate. As evidenced by our work globally, regulatory cooperation remains key to ensuring we can protect the public’s personal data wherever it resides. The ICO will also continue to develop its international strategy.
Data flows: short term bridging provisions and adequacy
The TCA contains an important safety net, allowing transfers of data from the EU to UK to continue without restriction for four months whilst the EU considers the UK’s application for adequacy. This is the usual mechanism used by the EU to allow for continued data flow with third countries. This is very welcome news and was the best possible outcome for UK organisations given the risks and impacts of no adequacy. This bridge contained within the TCA will provide a legally robust mechanism that can give UK organisations confidence to continue digital trade in the coming months.
The EU has committed (in a Declaration alongside the TCA) to consider promptly the UK’s adequacy application. The Government is taking the lead on that process, with the ICO providing independent regulatory advice when appropriate. We’ll publish more details in due course as the outcome of the adequacy process becomes clear.
Whilst we wait for an adequacy decision, for the bridge to continue any new UK adequacy regulations, standard contractual clauses or ICO approvals of international transfer mechanisms, must be put before the TCA’s oversight mechanisms.
Data flows: keeping us safe
Our police and other law enforcement authorities, in the UK and EU, rely on sharing information with each other to prevent, investigate and prosecute crimes, and ultimately to keep us all safe.
Part three of the TCA sets out detailed provisions allowing data sharing for law enforcement. It includes arrangements for the transfer of DNA data, fingerprints, vehicle registrations and Passenger Name Record (PNR) data. It also allows for the UK to access data from EUROPOL and EUROJUST. Part three also contains important commitments to key elements of data protection and for the ICO to be consulted about data protection assessments related to PNR data.
I welcome the provisions in the TCA which bake-in the importance of high standards of data protection and international data flows for UK citizens and for the UK economy - they keep us safe, they support our economy, they keep us connected. In our ever-innovating, inter-connected world, my role is to make sure that data flows continue, and continue to protect UK citizens, so they can continue to enjoy digital services underpinned by a seamless flow of data.
Elizabeth Denham was appointed UK Information Commissioner on 15 July 2016, having previously held the position of Information and Privacy Commissioner for British Columbia, Canada.
28 Jan 2021 – we have made the following amendments to the blog:
1) Amended the wording in paragraph nine to be clearer for businesses
2) Removed the phrase “palm vein” from paragraph 12 as it is not referred to in the Treaty