The draft text of the EU-UK withdrawal agreement was published by the UK Government and the European Union yesterday, providing some of the first concrete indicators of the possible direction of travel in the area of data protection. Analysis of the text has barely started, but some of our initial conclusions are outlined below.
1. EU’s commitment to an adequacy assessment
Arguably the biggest headline-grabber was not in the withdrawal agreement, but the associated political declaration that was released at the same time, setting out the framework for a future relationship between the EU and UK. In the second bullet point of page one, there is a clear commitment by the European Commission to commence an assessment of the UK’s data protection standards, with the intention of making a finding of adequacy prior to the end of the transition period.
The EU’s previous public position had consistently been that no adequacy assessment could commence until the UK was considered to be a third country and therefore no longer a member of the EU, so this announcement constitutes a notable concession by the EU. This news should unquestionably be welcomed by international businesses that are looking for both certainty and consistency in the measures they have to take to protect personal data.
2. Transition period
Assuming that the withdrawal agreement is passed (which is a big assumption – see conclusion eight below), then the transition period is initially expected to run from 29 March 2019 until 31 December 2020. During this time the GDPR, along with all other EU data protection laws, will continue in effect within the UK. This means a ratified withdrawal agreement should guarantee that the status quo is maintained for at least the next two years.
Once the transition period ends there are two scenarios that are envisaged under the agreement; neither of which are likely to involve much divergence from the present legal position. In the first, Article 71(1) states that EU data protection law will continue to apply to individuals that reside outside of the UK where their personal data was already being processed within the UK before the transition period ended. The same law will also apply to any further processing that is undertaken in relation to any personal data after the transition period on the basis of the withdrawal agreement.
As with a number of aspects of the withdrawal agreement, the intention here is somewhat ambiguous. Does this mean that the UK is committing to protect the personal data of citizens across the world (except for its own) in accordance with the GDPR, but only if it was already doing so before the transition period ended? The position is further muddied by Article 71(1)(b) which indicates that all personal data processed in the UK after the transition period “on the basis of [the] agreement” will be subject to EU data protection law. What constitutes personal data that is subject to the withdrawal agreement is currently unclear.
The second scenario is invoked in the event of the UK being granted adequacy. In this case, the UK will no longer be directly subject to the data protection laws of the European Union but may instead apply its own laws (and make changes to those laws), as long as these laws continue to meet the test of adequacy.
4. UK commitment to EU data protection principles
In practice this ultimately means that the UK government is making a very firm commitment to maintaining EU data protection standards post-Brexit, irrespective of whether or not an adequacy decision is granted. This should not come as a surprise given the history of the UK data protection law and given the stated intention of preserving existing data protection law under the European Union (Withdrawal) Act 2018. Nonetheless this latest progress provides extra reassurance to businesses and individuals about the commitment of the UK to the GDPR and associated laws.
5. Lack of future flexibility granted to the UK
Even if the UK was to attempt to move away from EU standards in the future, a ratified withdrawal agreement would make it very difficult to do so in any significant way. Article 71(3) creates a backstop in the event of a finding of adequacy being withdrawn or invalidated, committing the UK to ensuring a level of protection of personal data “essentially equivalent” to that under EU law.
The use of “essentially equivalent” instead of simply “equivalent” is significant, as an equivalence regime is currently planned for the financial services sector. Where the standard is equivalence, countries may choose to recognise each other’s standards in a given area or areas as equivalent and grant market access on that basis. The choice of “essentially equivalent” may therefore be to indicate that the standard required is less stringent than equivalence, or to make it clear that maintenance of essentially equivalent standards will not be met with a finding of adequacy in return.
6. Relationship between the ICO and EDPB
It looks increasingly unlikely that the UK’s Information Commissioner’s Office (ICO) will continue to be a member of the European Data Protection Board (EDPB) post-Brexit. Although it is unclear whether the ICO will maintain its existing status throughout the transition period, there are a number of reasons to suspect that its involvement will at least be significantly more limited going forward.
First, when defining the continued application of EU data protection law, Article 70 of the withdrawal agreement specifically excludes Chapter VII of the GDPR from applying. Chapter VII is concerned with the rules governing co-operation between the various supervisory authorities and their involvement with the EDPB.
Secondly, the EU has consistently refused the UK’s proposal of an ‘adequacy plus’ solution which involves the ICO maintaining its existing status as a member of the EDPB. It appears more likely that a future relationship of the soft-Brexit variety could involve the ICO’s continued participation as an informal observer or even an active contributor, but with no voting rights.
7. Definition of Union law
One interesting question that arises from the current draft is whether a future UK that falls outside of the EU’s adequacy regime would be bound to enact any changes made to EU data protection laws post-Brexit. Article 6 of the agreement states that references to Union law shall include all laws “…as amended or replaced, as applicable on the last day of the transition period.” In other words, the UK would not be technically bound to implement any future laws that come into effect after the transition period has expired. This could include the e-privacy regulation, for instance.
Although this theoretically may offer future UK governments some discretion over whether or not they decide to enact the changes to EU legislation, in practice it is difficult to envisage a scenario where this would be appealing given the importance of maintaining cross-border data flows between the UK and EU and the UK government’s commitment.
8. Alternative scenarios
Of course there is the distinct possibility that none of this may happen. Within the 24 hours since the withdrawal agreement was published there has been significant political turmoil in Westminster; the probability of the draft agreement getting through Parliament is looking increasingly remote.
In the event of a no-deal scenario, which remains possible, the UK would become a third country under the GDPR, meaning that data flows from the EU to the UK would have to stop unless appropriate data transfer arrangements were put in place between the relevant organisations.
9. Contingency planning
Given the ongoing risk of a “no deal”, companies that are involved in cross-border transfers of data between the EU and UK should be looking to make contingency plans as a matter of urgency. This could involve, among other things, preparing to execute model standard contractual clauses between parties that are involved in transferring personal data from the EU to UK that is vital to the continued functioning of the business.
10. Prospects of a finding of adequacy
Although this remains somewhat dependent upon what happens next, we believe that there remains a reasonable chance of the UK obtaining a positive finding of adequacy in the future, and that these prospects have not been materially altered by the withdrawal agreement or future relationship framework. However, if Parliament was to vote down the withdrawal agreement then the chances of a no deal scenario increases. In these circumstances the negative impact of an immediate break in the relationship between the two parties could understandably result in a lower prospect of an adequacy finding being made in the short-term. The European Commission’s recent Communication on contingency planning for a “no deal”, explicitly states that an adequacy decision is not planned in the event of a no-deal Brexit.
All in all, despite the important step forward that the publication of the draft withdrawal agreement represents, the uncertainty of Brexit carries on.