)
Introduction
This blog post discusses the data protection measures in the Withdrawal Agreement on the withdrawal of the UK from the EU and accompanying Political Declaration on the Future relationship. Although the texts are subject to approval by the UK Parliament and EU member states (which is far from certain to be forthcoming, in the UK at least), they set out a roadmap for post-withdrawal EU-UK personal data transfers. In brief, the Withdrawal Agreement provides that EU data protection law will continue to apply generally in the UK during the transition period, meaning there will be no immediate restriction of data transfers from the EEA to the UK when the UK leaves the European Union on 29th March 2019. The accompanying Political Declaration indicates an intention on the part of UK government to seek an adequacy decision from the European Commission during the transition period to address EU-UK data transfers from 1st January 2021. It also contains provisions for the on-going application of EU data protection law after that date, which may avoid some data transfer restrictions if an adequacy decision is not obtained during the transition period. In short, it provides a framework for ensuring personal data transfers continue unimpeded – provided the UK takes steps to secure a finding of adequacy by the European Commission. Whilst these elements are positive, the UK will, however, cease to participate in the European Data Protection Board and the so-called one-stop-shop procedures of the GDPR – reducing the UK’s ability to influence future development of EU data protection law, and increasing compliance costs for UK established businesses.
On 25th November 2018, at a special European Council meeting, the texts of the Withdrawal Agreement (which reflects the in principle agreement between the UK and EU negotiating teams on the full legal text) and Political Declaration (which sets out progress on the scope of the framework for the future relationship) were finalised and approved on the basis of a qualified majority vote. The UK government has now laid the final version of the Withdrawal Agreement before Parliament as it needs implementation in domestic law through primary legislation to be given legal effect. This outcome is by no means assured, however, as it remains to be seen whether it will survive debate and votes in the UK parliament currently scheduled for 11th December 2018.
The Withdrawal Agreement does not address the future trading relationship between the EU and UK once the transition period ends. That is subject to further negotiation between the parties. Instead, the Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29th March 2019 and includes a transition period (which the UK refers to as an "implementation period") which will last until 31st December 2020 (or possibly until 2022 at the latest by joint agreement),1 during which EU data protection law will continue to apply in and to the UK (Art 127).
The Withdrawal Agreement is accompanied by a Political Declaration that sets out a vision for the future, including positions of intent in relation to the free flow of personal data, and a commitment to a high level of data protection. It indicates willingness on the part of the European Commission to commence an adequacy assessment during the transition period with the aim of securing an adequacy finding by the end of 2020 i.e. by the end of the anticipated transition period. The outline political declaration also states that the UK will put in place a mechanism to ensure a free flow of data from the UK to the EU. It further mentions an intention to have "appropriate cooperation between regulators". Taken together, these documents confirm a commitment by the UK to maintaining GDPR standards during the transition period, which is welcome news for international businesses seeking certainty, consistency and continuity in the measures they have to take to protect personal data. It also offers reassurance to individuals that data protection measures will remain robust immediately after the UK leaves the EU.
Personal data transfers during the transition/implementation period
The GDPR will continue to apply in and to the UK in relation to personal data processed during the transition period thereby ensuring that there will be no restrictions on personal data transfers between the EU and UK during the transition period (Art 71) and EU member states have agreed not to treat data received from the UK during the transition period differently to data received from EU member states solely on the basis that the UK has left the EU (Art 73). The CJEU will continue to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK will abide by CJEU decisions during the transition period.(Art 129) Significantly, the Withdrawal Agreement provides that:
“Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data (a) were processed in accordance with Union law in the Union Kingdom before the end of the transition period; or (b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.” Art 71(1).
When read in conjunction with a comments in a speech by Emma Bate, General Counsel for the Information Commissioner’s Office (ICO):
"... you may be interested to hear the current [ICO] thinking regarding transfers. We have moved away from pure geographical considerations. A transfer of data outside the EEA is not restricted by Chapter V of the GDPR if the data, when held by the non-EEA recipient, is still protected by the extra-territorial scope provisions of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies, so this is not a transfer outside of the protection of the GDPR.” (Emma Bate, Counsel, ICO, 5RB Conference Speech, 26 September 2018)
It is apparent that the ICO is of the view that data transfer restrictions under the GDPR do not apply where the recipient of personal data is directly bound by the GDPR, i.e. covered by a “GDPR-envelope”. This approach could have positive implications for international transfers of data from the UK during the transition period because the general counsel of the ICO has seemingly suggested that data transfers to non-EEA countries that haven’t been granted an adequacy decision will be unrestricted if the recipient (UK based business) is already subject to the EU rules. Significantly, the “GDPR-envelope” would apply only to personal data processed in the UK during the transition period, (Art 71 (a)) or personal data which continue to be processed in the UK in reliance on these arrangements after the transition period ends (Art 71 (b)) because it is anticipated that the “GDPR-envelope” will be superseded by an adequacy decision, which should be in place by the end of the transition period. (Art 71(2)). In effect, Art 71(b) creates a backstop to ensure that EU residents’ personal data does not lose GDPR protection once the transition period ends if an adequacy decision is not in place by then. Relatedly, Article 71(3) creates a backstop during the transition period, as in the event of a finding of adequacy being withdrawn or revoked it commits the UK to ensuring a level of protection of personal data “essentially equivalent” to that under in the GDPR in respect of EEA residents’ personal data.
It remains to be seen whether this “GDPR envelope” will be reflected in the EDPB’s guidance on territorial scope and data transfers. The prospect of UK based data controllers being able to continue to receive personal data from EEA countries during the transition period without needing to put in place Chapter V transfer mechanisms (e.g. model clauses or binding corporate rules, or rely one of the derogations), has been welcomed by some data protection experts because “it could only have the effect of making transfers easier.” (Jon Baines, Mischon de Reya, quoted in Global Data Review Blog, 12 October 2018). However, other data protection experts have reacted with concern to the “GDPR-envelope” interpretation on the basis that it would allow the UK to temporarily avoid compliance with the Schrems criteria e.g. fundamental rights compliant limits on surveillance. These critics have noted that although the “GDPR-envelope” in the withdrawal agreement would be justiciable by the CJEU, the transition period would likely have concluded by the time a complaint was heard.
In my view, whilst it would be better to insist that UK data controllers rely on Chapter V GDPR mechanisms such as contracts and derogations during the transition phase, the reality is that drafting and implementation of such measures e.g. contractual arrangements would be a costly, time consuming (they might not be in place for most of the transition period) and onerous exercise that would unfairly penalise small and medium sized enterprises, causing harm to both the EU and UK economies, which both parties are keen to avoid, particularly as an adequacy decision could well be in place before the other mechanisms are finalised. Whilst not ideal, the pragmatic ‘fudge’ minimises economic harm by ensuring that EU-UK personal data transfers continue unimpeded during the transition period, and is, in my view, acceptable because it will be a temporary arrangement as the UK will still be obliged to inter alia amend provisions in the Investigatory Powers Act 2016 in order to secure finding of adequacy by the European Commission by the end of the transition period.
Prospects of a obtaining & retaining an adequacy decision
Securing an adequacy decision will be vital to ensuring the unimpeded personal data between the EU and the UK once the transition period comes to an end. The EU has made a significant positive concession in indicating a willingness to commence the adequacy assessment process during the transition phase with the aim of having one in place by the end 2020 i.e. the end of the transition period. This would minimise disruption to EU-UK personal data transfers. There is, however, no guarantee that the UK will obtain an adequacy decision from the European Commission because provisions in the Investigatory Powers Act 2016 concerning the retention of communications data and the bulk collection and retention powers of the UK surveillance services are likely to be an obstacle to an adequacy finding. Until such time as these provisions are amended, a finding of adequacy is not likely to be forthcoming. If the UK were to secure an adequacy decision and then seek, in the future, to diverge significantly from EU standards, it could jeopardise renewal of an adequacy decision. Consequently, until such times when the EU ceases to the UK’s largest trading partner, (which is not forecast to change in coming decades) UK data protection law is likely to maintain close alignment with EU data protection law.
EDPB membership & participation in the One stop Shop mechanism
The UK’s Information Commissioner’s Office (ICO) involvement and influence in regulatory co-operation mechanisms will, however, be significantly reduced when the UK leaves the EU because Article 70 of the withdrawal agreement specifically excludes the application of Chapter VII of the GDPR during the transition period. Chapter VII is concerned with the rules governing co-operation between supervisory authorities and their involvement with the EDPB. Unsurprisingly, Article 128(5) of the Withdrawal Agreement grants the ICO (the UK’s national data protection supervisory authority) the right to attend (by invitation only) meetings of the EDPB in certain circumstances. As an ‘observer’ the ICO will not have a right to vote in such meetings, so will lose its ability to directly influence the development of data protection in the EU. In addition, organizations will not be permitted to designate the UK ICO as lead authority for GDPR purposes. Further, if a company has a binding corporate rules (BCR) application with the ICO, the ICO would no longer be able to act as the lead authority for that application. Discussions should be commenced with the ICO to make arrangements for progression of any pending applications. Clearly these changes will impact negatively on businesses operating in both the UK and the EEA as it will increase their compliance burden.
Concluding Remarks
The provisions concerning data protection in Withdrawal Agreement have been cautiously welcomed by business because they provide a degree of regulatory certainty during the transition period. However, it remains to be seen whether the UK parliament will agree to support and implement the Withdrawal Agreement, in which case the risk of a “no deal” remains high. Given this uncertainty, organisations that rely upon cross-border transfers of data between the EEA and UK should continue to make contingency plans such as preparing to execute model standard contractual clauses to ensure that EEA-UK personal data transfers are not halted in the event of a “no deal” scenario.