What does the draft withdrawal agreement say about processing of personal data?
The short answer is that EU data protection law will continue to apply generally in the UK during the transition period, meaning there will be no immediate restriction of data transfers to the UK when the UK Brexits, on March 29th 2019. The UK will, however, cease to participate in the European Data Protection Board and the so-called one-stop-shop procedures of the GDPR.
There is an assumption underlying the provisions in the draft agreement that the UK will seek an adequacy decision to address data transfers as from 1 January 2021. There are also more complex provisions for the ongoing application of EU data protection law after that date, which may avoid some data transfer restrictions if an adequacy decision is not achieved in a timely manner.
The more detailed analysis follows
The UK must commit, on an ongoing basis, to protect the personal data of individuals covered by EU data protection law, but who are not in the UK. “EU data protection law’ could be GDPR, the LED, ePrivacy or other data EU data protection law.
Where personal data were processed in the UK, and where EU data protection law applied to the processing of such data before the end of the transition period (31 December 2020), then EU law must continue to apply in the UK. Union law means all aspects of the GDPR except Chapter VII (i.e. co-operation and consistency).
This principle will be dis-applied if an adequacy decision is in place (so any subsequently agreed adequacy decision will take precedence to this provision). If an adequacy decision is in force, but then ceases to be applicable, then the UK commits to ensure an essentially equivalent level of protection for personal data to that in Union law.
Rules on jurisdiction in GDPR will apply to claims brought during the transition period. During the transition period, Union law will produce the same effects in respect of the UK as it does in respect of the Union and its Member States. Transition arrangements for exchange of law enforcement and PNR data and continued rights to use European information exchange systems.
The CJEU will continue to have jurisdiction to deal with claims brought during the transition period. There are also arrangements for ongoing jurisdiction for the CJEU for specific matters during a further four year period post transition.
What does this really mean?
1. During the transition period, the UK continues to apply EU data protection law. The EU treats the UK in the same way as any other Member State (so no restrictions on data transfer). There is a carve-out for the co-operation and consistency mechanism. This means that the UK will not participate in the EDPB.
This could be called “EEA minus” - on the basis that data transfers will not be disrupted, but the UK falls outside the one-stop shop (whereas Norway, Iceland and Liechtenstein participate in the EDPB, but without voting rights). For businesses which operate across the UK and the EU, this could leave them facing parallel proceedings in the UK and the EU.
2. After the transition period, there is an indefinite commitment from the UK to apply EU data protection law, whenever it applied prior to the end of the transition period.
There is a view that data transfer restrictions under the GDPR do not apply where the recipient of personal data is directly bound by the GDPR. This could be called the “GDPR bubble”. This view is reflected in the Information Commissioner’s GDPR Guidance. It will be important to see if this view is reflected in the EDPB’s much anticipated guidance on territorial scope and data transfers.
If this approach prevails, then this would mean that there would be no data transfer restrictions in respect of such data. In the event that the UK obtains an adequacy decision, then this arrangement would supersede the “GDPR-bubble’.
3. This GDPR-bubble approach only applies to personal data processed in the UK before the end of the transition period, or which then continue to be processed in the United Kingdom in reliance on these arrangements. This means that if organisations want to transfer new personal data to the UK after the end of the transition period, a different solution will be needed. The assumption underlying the draft withdrawal agreement is that this new solution will be an adequacy decision - which will address new transfers and which will replace the GDPR bubble.
4. The drafting talks about personal data processed “in the United Kingdom”. Where UK organisations have outsourced their personal data processing - for example to a shared service centre in India, or a cloud provider in the US, then it is not clear what rules will apply.