The Brexit withdrawal agreement might have considerable privacy law related consequences on the flow personal data between the EU and the UK.

Here is an update after the publication of the Brexit withdrawal agreement. This article is based on the post published on Privacy Matters blog by my colleagues Andrew Dyson and James Clark.

What is provided by Brexit agreement and what consequences on personal data?

On the 15th of November 2018, the UK Government and the EU Commission jointly published an agreement on the terms of the Brexit. Although the Brexit withdrawal agreement is in draft form and subject to approval by the UK Parliament and EU Member States (which is far from certain to be forthcoming, in the UK at least), it does set out a helpful roadmap of how the current EU / UK regime on personal data will be managed in the immediate aftermath of the Brexit on 29 March 2019.

Below is an outline of the main contents of the Brexit withdrawal agreement and of its consequences on personal data.

1. A transition period with EU laws applicable to the UK

The Brexit withdrawal agreement establishes a transition period from 30 March 2019 until 31 December 2020 during which the UK will remain subject to all EU laws (other than those expressly excluded within the Brexit agreement). The UK can extend the transition period (once) by notice before 1 July 2020.

What changes for personal data?

The GDPR and related EU privacy laws (e.g. the Electronic Communications (ePrivacy) Directive the upcoming ePrivacy Regulation) will continue to apply to the UK until at least 31 December 2020.

2. Same interpretation and application of EU laws between the EU and the UK

EU law will continue to be interpreted and must continue to be applied during the transition period so as to have the same legal effect within the EU and UK, subject to general principles of EU law.

What changes for personal data?

The UK must continue to interpret and apply the GDPR and related EU laws on personal data consistent with wider EU legal principles during the Brexit transition period.  Equally, EU Member States must continue to apply GDPR and privacy laws in a way which does not discriminate against the UK.

3. The CJEU to keep jurisdiction on the UK

The Court of Justice of the European Union (CJEU) will continue to have jurisdiction in relation to EU law as it applies to the UK during the transition period.

What changes for personal data?

The CJEU will continue to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK must abide by CJEU decisions during the transition period.

4. The UK to be treated as an EU Member State

All references in EU law to Member States and competent authorities of Member States are to be understood as including the United Kingdom and its competent authorities during the transition period.

What changes for personal data?

This is a key point which means that, for the duration of the transition period, references in the GDPR to a “Member State” should be read to include the UK.  This means that transfers of personal data from the EU to the UK will not be restricted under Chapter V during the transition period.  It would also appear to suggest that the ICO will continue to be a relevant supervisory authority through the transition period, but note point 6 below regarding data processing which starts before the end of transition but continues after transition.

5. No participation of the UK in EU decisions

The UK will be restricted from participation in EU decision-making and governance bodies / offices during the transition period. The UK may however be invited to attend on a non-participatory basis.

What changes for personal data?

We expect that the ICO’s role in the EDPB will be reduced to attendance in an observer capacity.

6. Different regime between personal data originated before/after the Brexit transition period

The EU GDPR will continue to apply within the UK as EU law after the Brexit transition period, insofar as any EU originating personal data continue to be processed within the UK post-transition, where the relevant data commenced before the end of the transition. This protective provision will fall away if the UK secures an EU adequacy decision at any time.

What changes for personal data?

This regime creates a backstop to protect EU residents’ privacy rights to ensure that EU resident personal data collected within the UK during transition does not lose GDPR protection, just because Brexit transition ends. It is expected to be superseded by the UK securing an adequacy decision.

What remains to the negotiated between the EU and the UK?

The Brexit agreement deals primarily with the terms on which the UK will operate alongside the EU during the transition period. It does not address the future trading relationship between the EU and UK after transition. That is subject to further negotiation between the parties and further uncertainty for business.

However, the EU and UK have published a high level non-binding joint declaration of the potential shape of that long-term relationship, which includes the following positions of intent in relation to the free flow of personal data.

The UK is likely to become a country providing an adeguate level of protection to personal data

The joint declaration establishes a willingness by the EC to commence an assessment of the UK’s adequacy, with an ambition to adopt an adequacy decision by the end of transition. Securing an adequacy decision will be integral to supporting a free flow of personal data between the EU and the UK once the transition period comes to an end and avoiding the backstop noted above.

Principles of cooperation on personal data

The joint declaration also sets out high level principles to:

1. secure co-operation between data regulators;
2. facilitate electronic commerce and cross-border data flows; and
3. develop reciprocal arrangements for passenger name record data, DNA, fingerprint and vehicle registration data processing.

Certainty that might unveil more uncertainty

The Brexit withdrawal agreement is likely to be welcomed by UK and EU businesses as providing regulatory certainty for the next 24 months, effectively guaranteeing legal consistency in data protection laws and the free flow of data throughout that period.  However it comes with a considerable health warning, as there is a high risk the agreement will not be ratified by the UK Parliament. In such a case the UK would leave the EU on 29 March 2019 without any transitional arrangements in place.

This will impact data transfers between the UK and EU after 29 March 2019 which will be treated as transfers to a third country and need to be managed under standard contractual clauses entered into between the respective data exporter and importer.

Short of the UK securing an adequacy decision ahead of December 2020, similar uncertainties will apply to transfers of personal data that take place after that date even under the Brexit withdrawal agreement.