The UK–EU Trade and Cooperation Agreement, the long-awaited Brexit trade deal was announced on 24 December 2020.

In an interview with the Daily Telegraph published on Boxing Day, the Prime Minister, Boris Johnson, said that the 1,200 page treaty included provisions that made it a "good deal for digital."

So, in what ways is the deal good for the digital sector and for digital agencies? Does it go far enough? And are there any hidden hazards in there?

This is a short update on what the Brexit deal means for data, and follows on from our previous blog about data and the end of the Brexit transition period.

Blog: Data, GDPR and your agency after the end of the Brexit transition period
The issues for your agency for GDPR compliance and data protection after 31 December 2020 —what impact is there on data after the end of the transition period?
Agency RadarDr Joe Baker

This update is particularly focused on what this means for UK agencies who have a digital component to their service offering, in particular where that includes managing personal data under GDPR.

What does the Free Trade Agreement say about data?

There are several important provisions for data in the deal.

Data flows, storage, and processing

Firstly, both sides, the UK and the EU, have reaffirmed their commitments to maintaining data flows across the UK–EU border. The UK had already asserted that it would allow EU data to flow into the UK, and the deal affirms that data flows from the UK to the EU will be maintained.

Related to that, the deal also explicitly prohibits either side from imposing requirements on where or data is stored, or the locations in which data is processed.

Both of these are good news for agencies — there is no immediate demand being made to move data or change processing systems or practices, removing a potential area of anxiety or cost increases.

Data privacy

There are also reciprocal commitments to maintain high standards on data protection and privacy for personal data.

This is good news, though not revolutionary given that UK digital businesses have needed to maintain and demonstrate GDPR compliance for a while now.

The big gap: no data adequacy ruling

The most important aspect, though, which we raised in the previous blog about data and the end of the Brexit transition period, is about data adequacy.

Blog: Data, GDPR and your agency after the end of the Brexit transition period
The issues for your agency for GDPR compliance and data protection after 31 December 2020 —what impact is there on data after the end of the transition period?
Agency RadarDr Joe Baker

The deal does not include a statement on adequacy — whether the UK's data protection regime offers an equivalent protection to that experienced in the EU.

This is not wholly surprising as data adequacy was never a subject for the Trade and Cooperation Agreement negotiations themselves. It is a matter solely for the EU, and depends on a ruling from the European Court of Justice (ECJ).

The UK was being assessed on its data protection provisions during the transition period, but the outcome of that assessment has not not been announced, with no consequent ECJ ruling.

With this scenario becoming apparent, the UK and EU signed a joint declaration to sit alongside the trade deal and act as a temporary bridge, for a period of up to six months, to maintain the current conditions for data flows and data protection. The EU is committed to making that assessment of data adequacy during this bridge period.

During this interim period, UK digital businesses do not need to fall back to adding additional clauses to contracts, as we previously outlined, to maintain data flows from the EU to the UK.

However, once the EU data adequacy decision is made businesses may indeed need to take those measures, depending on the outcome.

In other words, this is not a data cliff edge — there is a temporary reprieve, pending the data adequacy ruling.

Get your Agency Espresso every Monday

A shot of inspiration for agency leaders, direct to your inbox

We will never share your details with anyone else

Actions for agencies:

There are then two potential actions for agencies:

1) Should the ECJ's ruling grant the UK's data adequacy, no further action needs to be taken.

2) If the UK's data protections are ruled inadequate, either in part or in full, then the remainder of the interim period will give UK businesses time to implement alternative legal provisions, such as adding standard contractual clauses to existing  contracts.

Note: data adequacy is contingent

One final comment is worth making.

Data adequacy is not a static thing — it can be withdrawn by the EU in the same manner as it is granted.

If the UK, as it has indicated it intends to do in other areas, decides to diverge from the EU's data protection regulations, or there are changes to other aspects of UK law that may impinge on data protection in the UK, then the EU will reassess the UK's data protection regime and its legislative framework in the round and determine whether it continues to give adequate protection to the personal data of EU citizens.

A later re-assessment, then, may withdraw data adequacy.

That creates an ongoing degree of uncertainty for UK digital businesses.

As a leader of a digital agency, be aware.

This blog is a follow-up to the longer Board Brief paper on what the end of the Brexit transition period means for agencies in the UK. Subscribe to Agency Radar for access to the full paper.

Board Briefing: What the end of the Brexit transition period means for agencies
This Board Briefing paper covers everything agency boards need to know on what the end of the Brexit transition period means, from access to Europe, legal and regulatory issues, contracts, data protection and GDRP, people matters for staff, customers and suppliers, plus mitigation options
Agency RadarDr Joe Baker
Photo by KOBU Agency on Unsplash