In light of the recent joint publication of the draft Withdrawal Agreement by the UK and the EU concerning the UK’s exit from the EU and its future relationship with and the publication of the outline Political Declaration it is worthwhile seeing whether these documents shed any light on the future of data protection and transfer of such data between the EU and the UK. The draft Withdrawal Agreement states that once the UK leaves the EU next March 2019 there will be a transition period until the 31st of December 2020 (unless the EU decides to extend this period). During this time as a general rule EU law will apply hence the Court of Justice of the European Union will have jurisdiction as will other EU institutions, bodies and agencies.
The Transition Period and Data Protection
The Withdrawal Agreement is clear as regards data protection during the transition period; the GDPR and the e Privacy Directive will continue to have legal force in the UK in relation to personal data processed before or during the transition period and for personal data processed after the expiration period but on the basis of the Withdrawal Agreement. However, if an adequacy decision is in place between the UK and the EU this legislation will not apply for the purposes of data processing as the UK national legislation would be deemed to give the equivalent level of protection as provided by the EU.
So what happens once the transition period has expired or if an adequacy decision is revoked? When or if either of these events occur the UK in theory would only be obliged to protect the personal data of their UK citizens based on their own national legislation. In practise however under the draft Withdrawal Agreement the UK agrees to apply the GDPR standards to the protection of personal data of non UK citizens on condition that the personal data has been processed prior to the end of the transition period. For the EU’s part, during the transition period the flow of personal data from the UK to the EU will not be treated differently to data received from other EU member states.
Adequacy Decisions of the UK
Does the Withdrawal Agreement allow for the UK to develop adequacy decisions during the transition period? The agreement as it stands states that the UK can ‘negotiate, sign and ratify international agreements entered into in its own capacity in the area of exclusive competence of the Union, provided those agreements do not enter into force or apply during the transition period, unless so authorised by the Union’. It is understood by some commentators that this does allow the UK to negotiate adequacy decisions during the transition period so that such decisions can become legally binding post the expiration of the transition period. This could allow for the recognition of the EU-US Privacy Shield for example as well as allowing those companies with binding corporate rules approved by the UK ICO to transfer data. As regards the outline political declaration, the UK reaffirms its commitment to the European Convention on Human Rights. The UK post the transition period will remain a party to the Convention for the Protection of Individuals as regards automatic processing of personal data (Convention 108) and so any transfer of automatically processed data under the Convention would be deemed adequate – it should be noted however that this is only one form of personal data and so is limited in application.
EU Adequacy Decision for the UK?
The draft Withdrawal Agreement makes no guarantee that the UK will gain an adequacy decision post the expiration of the transition period and makes no reference to any assessment to be undertaken by the EU as regards determining an adequacy decision in the future. The outline political declaration which is aspirational does make a reference to the European Commission commencing an assessment and endeavouring to adopt decisions by the end of 2020 – small comfort for legal certainty.
So the big question for businesses both within the UK and the EU who process personal data which remains unanswered by the draft agreement and the political declaration is how will the transfer of personal data from the EU to the UK post the transition period be governed if no adequacy decision is forthcoming from the EU? It can only be hoped that the much relied upon future trading agreement between the UK and the EU will provide legal certainty on this matter.