Brexit Withdrawal Agreement: Impact for data protection

Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK.

Withdrawal Agreement

Title VII (Article 70-74) of the Withdrawal Agreement contains some specific provisions on data protection. These are also impacted by other provisions throughout the text of the agreement, including by Article 127, which importantly provides that Union law (i.e. the GDPR) will be applicable in the UK during the Transition Period. The Withdrawal Agreement contemplates that, during EU membership of the United Kingdom, private and public bodies in the UK have received personal data from companies and administrations in other Member States.

Article 71 of the Withdrawal Agreement specifically provides that, after the end of the Transition Period, the UK has to continue applying EU data protection rules to this “stock of personal data”, until the EU has established, by way of an adequacy decision, that the personal data protection regime of the UK provides appropriate safeguards. If a UK adequacy decision is subsequently revoked, non-UK personal data will need to remain subject to an “essentially equivalent” standard of protection as provided under the GDPR.

Data Transfers

One of the key issues associated with data protection and Brexit, is the impact of the UK’s withdrawal on the free flow of data throughout the EU. Although Article 73 of the Withdrawal Agreement contemplates the transfer of UK personal data to the EU, the Withdrawal Agreement does not appear to deal specifically with the issue of transfers of personal data from EU organisations to the UK during the Transition Period.

Breaking this issue down into its constituent parts, according to the Withdrawal Agreement during the Transition Period:

• the GDPR will apply in the UK;
• any reference to “Member States” in the GDPR will be understood to include the United Kingdom;

BUT

• the UK will no longer be in the EEA; and
• the GDPR restricts the transfer of personal data to “third countries” rather than non-Member States. Third country is not defined in the GDPR but it is generally assumed to mean any country or territory outside the EEA.

As such, it appears that there could be a technical gap in the arrangements under the Withdrawal Agreement. The GDPR international transfer provisions don’t refer to Member States and instead refers to third countries, being countries outside of the EEA, which the UK will be (even during the Transition Period). This “gap” would mean that, during the Transition Period, organisations could be required to put in place appropriate safeguards in order to legitimise the transfer of personal data from the EU to the UK. It seems unlikely that this is the intention of either the UK or the EU. The draft Political Declaration confirms a commitment to start adequacy proceedings with a view to the EU Commission adopting an adequacy decision with respect to the UK by the end of 2020 (i.e. by the end of the Transition Period). It would therefore seem illogical to have a period of time between exit and adequacy where organisations are required to put something else in place. However, given the ambiguity of the language in the Withdrawal Agreement, it is likely that organisations will be concerned to push for reassurance from both the UK and the EU that this is not an intentional gap.

Regulatory Cooperation

With respect to the role of the ICO in the European Data Protection Board (“EDPB”) during the Transition Period, Article 128(5) of the Withdrawal Agreement appears to grant the ICO the right to attend (by invitation only) meetings of the EDPB in certain circumstances. However, there will be no right to vote in such meetings.

Next Steps

A special European Council, due to be held on 25 November 2018, will be asked to finalise and approve the text of the Withdrawal Agreement and the full text of the political declaration. This will be on the basis of a qualified majority vote. The deal will also have to pass through the European Parliament.
However, the main challenge to a deal being ratified is anticipated to be the requirement for approval by the UK Parliament. The first vote by the UK Parliament is expected within two weeks of the European Council.