The EU Withdrawal Agreement has been released and essentially allows for status quo on data protection until 31 December 2020 (Arts 70, 71, 126).
The Outline of the political declaration, also released on 14 November, happily confirms a commitment to a high level of personal data protection and, most importantly, the ‘Commencement of the Commission’s assessments of the United Kingdom’s standards on the basis of the Union’s adequacy framework, endeavouring to adopt decisions by the end of 2020. In the same timeframe, the United Kingdom will take steps to ensure comparable facilitation of personal data flows to the Union. Appropriate cooperation between regulators.‘
An adequacy decision is very much to be welcomed, although the time period in the Outline of the political declaration could be shorter. Yes, there are some aspects around data protection that the UK has introduced that will need to be looked at (more on that below), but UK law now enshrines, and will continue to do so after Brexit, the EU’s own data protection law (the GDPR) and the UK has been an EU member for some years and has a good answer on many, if not 100%, of the criteria the Commission considers.
As to some areas that will need discussion, the ‘Adequacy Assessments, Key Findings’ section of the excellent August 2018 Study, ‘The future EU-UK relationship: options in the field of the protection of personal data for general processing activities and for processing for law enforcement purposes’ (PE 604.976), commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs, states:
‘Horizontal points of attention in the negotiation will be (1) the requirement for the UK to follow case law from the CJEU in its interpretation and application of data protection law (contrary to the approach adopted in the Withdrawal Act); and (2) onward transfers, particularly in the context of the Law Enforcement Directive, where the UK’s relationship towards transatlantic partners might create doubts on the appropriateness of a position that is fully or closely equivalent to that of a Member State‘ (p24). More detail is given on page 29, including the UK’s position on immigration law in the Data Protection Act 2018.
However, the Study also states that, given criteria the Commission also considers, such as the extent of commercial relationships and personal data flows, the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region, and the overall political relationship with that country, ‘the UK should be a high priority partner for opening adequacy discussions. Furthermore, based on the fact that the UK’s data protection law has evolved in tandem with the EU’s, and on the fact that the UK has already announced its intention to adopt data protection law which is closely aligned to the GDPR, an adequacy assessment for the UK should be a significantly more expedient process than for non-European countries that do not benefit from this shared history. The UK Government also appears to take this position, as its July 2018 White Paper indicated that “the UK believes that the EU’s adequacy framework provides the right starting point for the arrangements the UK and the EU should agree on data protection”.’
We welcome any news that increases confidence and certainty for businesses dealing with personal data, and we would welcome the fastest-possible adequacy decision. We are hearing of customers moving data from the UK to continental EU now, and of service providers moving datacenters from the UK to continental EU now, in order to have a strategic answer and move on with business with continental EU customers. We believe the longer the wait for an adequacy decision, the more this trend will accelerate. How much of that data would come back to the UK is open to debate.
Interestingly, the EU Withdrawal Agreement also states that EU data protection law (GDPR etc) shall apply in the UK ‘in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data … are processed in the United Kingdom AFTER [our emphasis] the end of the transition period [31/12/20] on the basis of this Agreement‘. (Art 71(1)) . This will cease to apply if and to the extent an adequacy decision applies (Art 71(2)).