Natalie Jones and Iain Garfield from the BPE Commercial team analyse the recent announcement of proposed changes to web cookies and the implications this may have for businesses who transfer data between the UK and the EU.
In a recent interview with The Telegraph newspaper, the Secretary of State for Digital, Culture, Media and Sport, Oliver Dowden has set out plans to end the “endless” cookie pop ups which have become common place on most websites.
Whilst this is undoubtedly good news for the casual web-surfer, it does create a potential risk from a legal perspective.
The rules around cookies were bought in prior to GDPR and the UK’s current data protection legislation – GDPR is not actually to blame. However, Mr Dowden has indicated that reform of the data protection rules is “one of the big prizes of leaving” the EU, and the rules requiring the ever-present and ever-infuriating pop-ups could be amongst the first to be reviewed.
Although the full extent of the proposed changes are not yet known, their impact could be significant, especially for businesses trading with the EU. The UK currently benefits from an EU adequacy decision, which means the trading bloc acknowledges that the UK provides similar levels of protection to personal data as can be found in the EU itself, and it is this decision that allows for the free flow of personal data between the EU and the UK.
The problem is that, by revised the rules on cookies, UK law could begin to diverge from EU law. And should the EU decide that the UK’s new rules mean that the UK offers a significantly lower degree of protection, the adequacy decision may be reversed, meaning an end to the free flow of personal data from the EU. In its place, UK and EU businesses would have to review their agreements with one another, and swiftly put in place new data transfer agreements that satisfy the GDPR before personal data could safely flow into the UK once more.
Personal data transfers from the EU to countries without an adequacy decision are usually protected by the inclusion of the EU Standard Contractual Clauses (SCCs). These clauses have been scrutinised following a European Court decision known as “Schrems II”, where it was found that the US’s Privacy Shield did not offer adequate protection to personal data (thus making data transfers from the EU (and the UK, which was an EU member at the time of the decision) to the US rather more complex than they had previously been).
The ICO has recently launched a consultation on its proposed International Data Transfer Agreement, which would take the place of, and mean UK businesses no longer have to rely on, the EU SCCs. If these ‘IDTAs’ are shorter and simpler than the EUU SCCs, then Mr Dowden may have further evidence to back up his claim that the UK is benefitting from no longer being an EU member when it comes to cross-border data transfers.
It is expected that a further announcement about the extent of the changes will be made imminently. Watch this space…
If you have any queries relating to data protection either within the UK or internationally, please contact Natalie Jones at Natalie.firstname.lastname@example.org or call 01242 248218 or Iain Garfield at email@example.com or call 01242 248246 contact another member of the BPE Commercial Team for more information.
LinkedIn: BPE Solicitors LLP