Brexit trade deal: what does it mean for data protection law?
The UK and the EU have agreed a Brexit trade deal, the draft EU-UK Trade and Cooperation Agreement ("Agreement"). The Agreement sets out the terms on which the EU and UK will trade following the end of the implementation period at 11 p.m. on 31 December 2020 ("IP Completion"). Provided that the Agreement is approved by the UK Parliament and by the EU Member States before IP Completion, it is expected that it will be provisionally applied from IP Completion onwards, until it can be ratified by the European Parliament early in 2021.
What does the Agreement say about data protection?
A. Interim period allowing for seamless transfers to UK
In the Agreement, the EU and UK both commit to uphold high standards of data protection1. However, the Agreement does not deal with the key question of whether the European Commission determines the UK’s data protection regime is “adequate” (i.e. equivalent to the EU’s), so as to permit free movement of data from the European Economic Area ("EEA") countries to the UK following IP Completion. Such an adequacy decision is a separate process to a trade deal and has been under consideration by the Commission throughout 2020. It does not appear from the Agreement that an adequacy decision permitting EEA to UK personal data transfers will be reached in time for IP Completion.
In the absence of an adequacy decision, in normal circumstances additional safeguards would have been required from 1 January 2021 in order to transfer personal data from the EEA to the UK in accordance with data protection law. However, the Agreement allows data flows to continue on an interim basis from the EU and the EEA EFTA States2 to the UK without any such additional safeguards3. This is an important step that avoids the need for organisations to make any last-minute rush to finalise paperwork.
The Agreement provides that, for an interim period of up to six months4 from 1 January 20215, a "transmission" of personal data from the EEA to the UK shall not be considered as transfer to a third country under EU law. Presumably this wording is also intended to cover remote access to EEA data by someone in the UK, which would otherwise be a transfer to a third country. This means that the restrictions on transfer under Chapter V of the General Data Protection Regulation ("GDPR" or "EU GDPR") will not apply to transfers to the UK – essentially, the position on transfers that applied during the Brexit transition period will be preserved on an interim basis.
The intention appears to be that the Schrems II6 requirements - to assess UK laws and ensure that transferred personal data is protected to a standard essentially equivalent to the EU GDPR - will not apply during the interim period, since they are only relevant for transfers to third countries. Organisations would no doubt welcome guidance from competent supervisory authorities confirming and clarifying this.
However, as a pre-condition for this interim period to apply, the UK has agreed that it will not: (i) change its data protection laws from the form they take as at 31 December 2020; or (ii) exercise certain "designated powers"7 relating to international transfers without the EU's agreement, which agreement would be given through the newly-constituted Partnership Council8. If the UK changes its data protection laws (other than to align with updates to EU data protection law), or exercises any these designated powers without consent, the interim period will automatically come to an end.
B. Adequacy decisions pending
The interim period is presumably intended to allow time for the EU and UK to each unilaterally adopt an adequacy decision, recognising the other jurisdiction as offering adequate protection for transferred personal data9.
In relation to UK to EEA transfers, the UK has already announced that it will initially treat the EEA countries as adequate for the purpose of UK to EEA transfers, but that it will keep this under review. There appears to be no reason why the UK would depart from its initial position, although the Agreement clearly shows a desire to underline the UK's sovereignty in this regard.
In relation to transfers from the EEA to the UK, adequacy is by no means guaranteed, as there are clearly elements of the UK’s data processing regime which may cause the Commission concern (for example, regarding national security processing, particularly in light of the CJEU decision of 6 October 2020 in Privacy International v Secretary of State for Foreign and Commonwealth Affairs and Others (C-623/17), which casts doubt on whether the UK's regime permitting the retention and transmission of bulk data for national security purposes is compatible with EU law.
However, given that the GDPR will be brought into UK national law by virtue of the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 ("DPA 2018"), there is reason to hope that an adequacy decision may be achievable within this six-month interim period.
C. Other data protection provisions in the Agreement
The Agreement also sees the UK and EU each committing not to adopt any data localisation requirements10 and it provides for the sharing of Passenger Name Records and criminal record information, as well as cooperation on DNA, fingerprint and vehicle registration data11.
To reinforce the mutual commitment to high standards of data protection, either side may unilaterally suspend all or any part of the law enforcement and judicial cooperation provisions in Part Three if there are "serious and systemic deficiencies" in the other side's data protection requirements, including (but not limited to) where an adequacy decision has been revoked by either side12. This underlines the importance given in the Agreement to upholding the fundamental right to personal data protection.
D. The trouble with Legacy Data
As there is not (yet) any formal adequacy decision in place, it should also be noted that Article 71(1) of the Withdrawal Agreement13 will apply immediately from IP Completion. This requires UK organisations to continue to comply with the EU (not UK) GDPR - in its form as at 31 December 2020 - in relation to the personal data of non-UK data subjects: (i) already processed under EU law before IP Completion; or (ii) processed from IP Completion on the basis of the Withdrawal Agreement, for example pursuant to a provision of EU law that applies in the UK by virtue of the Withdrawal Agreement, such as its provisions on citizens' rights) ("Legacy Data").
This highly technical issue is unlikely to make much practical difference to the requirements for UK controllers and processors, as the UK is required not to change its laws from their form as at 31 December 2020 as a precondition of the interim period for transfers. This means that the EU and the UK versions of the GDPR are highly likely to stay aligned.
However, organisations may still need to be able to identify which version of the GDPR applies to any given piece of data, as there may be minor differences – for example, UK courts would still need to pay "due regard" to any CJEU decisions made after IP Completion in relation to Legacy Data14, whereas they would not need to do so in relation to other personal data. If an adequacy decision is granted then the Legacy Data requirements are disapplied and UK organisations may simply apply the UK GDPR to all of their data, including Legacy Data.
What relevant materials do we have on our website?
Our Brexit page, Understanding Brexit, contains links to all our Brexit materials. We will be publishing more data protection materials on our Brexit page and in our data protection bulletins as events unfold.
For information about Brexit, please ask get in touch with our Data Protection team or other usual Stephenson Harwood contact.
1 See the Agreement Part Six, Title II, Article COMPROV.10(1)
2 Note that the EEA European Free Trade Association ("EFTA") States of Iceland, Norway and Liechtenstein must actively notify both the UK and EU in writing for the interim provision to apply to transfers from each of their jurisdictions to the UK (Agreement Part Seven, Article FINPROV.10A(2)) - this update assumes that this will take place
3 See the Agreement Part Seven, Article FINPROV.10A
4 Four months is the default period; it will automatically be extended by a further two months if required, unless either the UK or the EU unilaterally objects. The interim period will come to an end when it expires after four or six months or when adequacy is granted; whichever is the earlier (Agreement Part Seven, Article FINPROV.10A(4)).
5 See the Agreement Part Seven, Article FINPROV.11 for more detail on the date from which the Agreement comes into force; essentially these provisions have effect from the date on which the Agreement is provisionally applied
6 See the CJEU decision in Data Protection Commissioner v Facebook Ireland Limited & Maximillian Schrems (C-311/18) (and see further below)
7 The "designated powers" that the UK must only exercise with EU consent during the interim period include the power for the Information Commissioner's Office to publish standard contractual clauses for international transfers of personal data from the UK and to approve new codes of conduct, certification mechanisms or Binding Corporate Rules that can be relied upon to make international transfers of personal data.
8 The Partnership Council will comprise EU and UK representatives and its role will be to oversee the Agreement – see the Agreement Part One, Title III, Article INST.1
9 Each side will actually need to make two adequacy decisions, since adequacy is required for transfers under the Law Enforcement Directive, as well as under the GDPR.
10 See the Agreement Part Two, Title III, Article DIGIT.6(1)(b)
11 See the Agreement Part Three, Titles II (DNA, fingerprints and vehicle registration data, Title III (PNR) and TItle IX (criminal record data), as summarised in the eu-uk_trade_and_cooperation_agreement-a_new_relationship_with_big_changes-brochure.pdf (europa.eu)
12 See the Agreement Part Two, Title XII, Article LAW.OTHER.137(2)
13 See the Withdrawal Agreement: Agreement on the Withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community Vol 1 https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/862063/TS3202_1.PDF
14 See Article 4(5) of the Withdrawal Agreement