Yesterday evening the UK Government and the EU Commission jointly published an agreement on the terms of the UK’s withdrawal from the EU (the “Withdrawal Agreement“).
Although the Withdrawal Agreement is in draft form and subject to approval by the UK Parliament and EU Member States (which is far from certain to be forthcoming, in the UK at least), it does set out a helpful roadmap of how the current EU / UK data protection regime will be managed in the immediate aftermath of the UK’s formal departure from the EU on 29 March 2019.
- The Withdrawal Agreement establishes a transition period from 30 March 2019 until 31 December 2020 during which the UK will remain subject to all EU laws (other than those expressly excluded within the Withdrawal Agreement). The UK can extend the transition period (once) by notice before 1 July 2020.Consequence: the GDPR and related EU privacy laws (eg the Electronic Communications (ePrivacy) Directive) will continue to apply to the UK until at least 31 December 2020.
- EU law will continue to be interpreted and must continue to be applied during the transition period so as to have the same legal effect within the EU and UK, subject to general principles of EU law.Consequence: the UK must continue to interpret and apply the GDPR and related EU laws consistent with wider EU legal principles during the transition period. Equally, EU Member States must continue to apply GDPR in a way which does not discriminate against the UK.
- The Court of Justice of the European Union (CJEU) will continue to have jurisdiction in relation to EU law as it applies to the UK during the transition period.Consequence: the CJEU will continue to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK must abide by CJEU decisions during the transition period.
- All references in EU law to Member States and competent authorities of Member States are to be understood as including the United Kingdom and its competent authorities during the transition period.Consequence: this is a key point which means that, for the duration of the transition period, references in the GDPR to a “Member State” should be read to include the UK. This means that transfers of personal data from the EU to the UK will not be restricted under Chapter V during the transition period. It would also appear to suggest that the ICO will continue to be a relevant supervisory authority through the transition period (but note point 6 below regarding data processing which starts before the end of transition but continues after transition).
- The UK will be restricted from participation in EU decision-making and governance bodies / offices during the transition period. The UK may however be invited to attend on a non-participatory basis.Consequence: we expect that the ICO’s role in the EDPB will be reduced to attendance in an observer capacity.
- The EU GDPR will continue to apply within the UK as EU law after the transition period, insofar as any EU originating personal data continue to be processed within the UK post-transition, where the relevant data commenced before the end of the transition. This protective provision will fall away if the UK secures an EU adequacy decision at any time.Consequence: this creates a backstop to protect EU residents’ privacy rights to ensure that EU resident data collected within the UK during transition does not lose GDPR protection just because transition ends. It is expected to be superseded by the UK securing an adequacy decision.
The Withdrawal Agreement deals primarily with the terms on which the UK will operate alongside the EU during the transition period. It does not address the future trading relationship between the EU and UK after transition. That is subject to further negotiation between the parties and further uncertainty for business. However, the EU and UK have published a high level non-binding joint declaration (“Joint Declaration“) of the potential shape of that long-term relationship, which includes some clear positions of intent in relation to the free flow of personal data.
- The Joint Declaration establishes a willingness by the EC to commence an assessment of the UK’s adequacy, with an ambition to adopt an adequacy decision by the end of transition. Securing an adequacy decision will be integral to supporting a free flow of personal data between the EU and the UK once the transition period comes to an end and avoiding the backstop noted above.
- The Joint Declaration also sets out high level principles to:
- secure co-operation between data regulators;
- facilitate electronic commerce and cross-border data flows; and
- develop reciprocal arrangements for PNR data, DNA, fingerprint and vehicle registration data processing.
The Withdrawal Agreement is likely to be welcomed by UK and EU businesses as providing regulatory certainty for the next 24 months, effectively guaranteeing legal consistency in data protection laws and the free flow of data throughout that period. However it comes with a considerable health warning, as there is a high risk the Agreement will not be ratified by the UK Parliament. In such a case the UK would leave the EU on 29 March 2019 without any transitional arrangements in place. This will impact data transfers between the UK and EU after 29 March 2019 – which will be treated as transfers to a third country and need to be managed under standard contractual clauses entered into between the respective data exporter and importer. Short of the UK securing an adequacy decision ahead of December 2020, similar uncertainties will apply to data transfers that take place after that date even under the Withdrawal Agreement.
If you have any questions about the impact of Brexit on data protection, please contact the authors of this article, or your usual DLA Piper contacts.
Andrew Dyson (Partner) and James Clark (Senior Associate), DLA Piper UK LLP