What does the Brexit Agreement say about data protection?

By Ruth Boardman


Readers will be most interested in the provisions on data transfer. As from 1st January 2021, transfers of personal data from the EEA to the UK should be treated like transfers of personal data to any other third country, in accordance with Chapter V of the General Data Protection Regulation (GDPR). As the UK does not (yet) have an adequacy decision, this would mean using “appropriate safeguards” or relying on a derogation to the restrictions.

On this point, the EU-UK Trade & Co-operation Agreement (TCA, or Brexit Agreement), provides a stay of execution (Art.FINPROV.10A). Data transfers to the UK from the EU and EEA are not to be treated as made to a third country. This lasts until an adequacy decision is granted, or (if earlier) until 1 May 2021. If no adequacy decision has been issued by that date, then there is a further automatic extension, until 1 July 2021, unless either party objects to that.

This arrangement is conditional on the UK not amending its data protection legislation or exercising certain “designated powers” during this period. These powers are – broadly – doing anything new relating to data transfers. If the UK does want to take action during this period, then it can do so with the approval of the TCA Partnership Council (see below for more on this). There is an exception for UK amendments which are limited to changes to align rules with those applicable in the EU. The European Commission has published a draft implementing decision relating to new standard contractual clauses for data transfers. If the EU adopts these new clauses, this exception would allow the UK to adopt the same updated clauses, should it wish to do so.

The “designated powers” list includes issuing an approval for new binding corporate rules. Organisations which rely on Binding Corporate Rules for their data transfers will be aware of the need to adjust their BCRs so that, as from 1st January 2021, they meet both EEA and UK requirements. Recent Brexit related legislation in the UK (https://www.legislation.gov.uk/ukdsi/2020/9780348213522) requires organisations which have BCRs which were approved under the Data Protection Directive, by an authority other than the Information Commissioner, to resubmit their BCRs to the Information Commissioner by 31st June 2021. The Commissioner is then required to decide whether or not to approve the amended rules and to notify the organisation accordingly without delay. The intent of the legislation is that these “re-approved” BCRs will be treated as though they were approved by the Information Commissioner and so be valid automatically for UK data transfer purposes. Organisations in this situation have already been faced with additional, unexpected, administrative requirements, on very short notice. We hope that this will be seen as a confirmatory approval of an existing BCR, or as an (permitted) alignment between EU and UK requirements, so not falling foul of the designated powers restrictions. It would be helpful to have confirmation of this point as soon as possible.

No absolute data localisation measures – but restrictions on data transfers are still possible

The TCA states that both the UK and the EU agree not to restrict cross border data flows. There is a list of the types of provisions that would count as a restriction – ranging from data localisation provisions, through to requirements to use locally certified or approved computing facilities. The provision is to be reviewed after 3 years (Art.DIGIT.6).

So far, so good. However, Art.DIGIT.7, states that nothing in the TCA (so including the paragraph above which prohibits data localisation requirements) prevents a party from adopting or maintaining measures for the protection of personal data and privacy, including on cross border data transfers “provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred”. “Conditions of general application” are in turn stated to refer to “conditions formulated in objective terms that apply horizontally to an unidentified number of economic operators and thus cover a range of situations and cases”.

In other words, restrictions on the transfer of personal data are permitted – so long as they are not absolute and so long as the EU and the UK treat each other in the same way as they treat other countries.

Readers should note that these provisions do not apply to audio-visual services. They are also subject to general public interest exceptions set out in Arts. EXC.1, EXC.4 and SERVIN.5.39y.

Consent to be the basis for direct marketing by email – and possibly beyond

Art. DIGIT.14 sets out brief rules on direct marketing by email to natural persons using a public telecommunications service, where the EU and the UK will each ensure a consent-based model for direct marketing by email, with exceptions for opt-out marketing to existing customers. Consent and conditions for the soft opt-in are to be assessed in accordance with “each Party’s laws”. Direct marketing is defined as any form of commercial advertising by which marketing messages are communicated directly to a user via a public telecommunications service. This is stated to cover at least email, SMS and MMS. The definition seems wider than current rules – for example, contextual display ads are also communicated directly to a user via a public telecommunications service. This definitional point is likely of academic interest only – as the TCA is not intended to create new obligations or rights for parties (see below).

Direct marketing communications must be identifiable as such. They must show on whose behalf they are made and contain the necessary information to allow users to ask the marketing to stop, free of charge and at any time.

Shared data protection values, but freedom to regulate data protection separately

Title II sets out the basis for the EU and the UK to co-operate through the TCA. This is based on a reaffirmation by each party of their respect for the Universal Declaration of Human Rights and other international human rights treaties to which they are parties (Art. COMPROV.4). This is stated to be an essential element of the partnership – and there is an express affirmation of the commitment of each party to high levels of personal data protection, alongside a commitment to work together to promote high international standards and to engage in dialogue, the exchange of expertise and co-operation on enforcement (COMPROV.19). However, there is also a statement – in Title X – that nothing affects a Party’s right to regulate and further its policy objectives – including in relation to data protection and cyber security.

Lengthy and detailed arrangements for data sharing for law enforcement purposes

Part Three of the TCA relates to law enforcement and judicial co-operation in criminal matters. This includes detailed provisions setting out mechanisms for shared access to personal data for these purposes – which include measures to prevent money laundering. The measures include mechanisms for transfer of DNA data, fingerprint, palm vein and vehicle registration data, PNR data and for access to EUROPOL and EUROJUST data. The arrangements do not, however, cover national security. The arrangements are stated to be predicated on respect, not just for the UNCHR, but also the European Convention on Human Rights. Many of the provisions are a precis of the principles set out in the Law Enforcement Directive ((EU) 2016/680).

Ongoing discussions and dispute resolution

Boris Johnson was infamously elected to “get Brexit done”. Ursula von der Leyen, by contrast, commenting on the TCA, chose to quote T.S. Eliot (Little Gidding):

What we call the beginning is often the end.

And to make an end is to make a beginning.

The end is where we start from.”

Von der Leyen’s comments are apt. The TCA acknowledges that ongoing dialogue and change will be necessary. It provides for a Partnership Council (with one representative from the UK, one from the EU) which will oversee the TCA – for example, adopting decisions where required or provided for by the TCA, making recommendations regarding the TCA and establishing specialised committees. A number of specialised committees are already listed in the TCA. In the first 4 years, the Partnership Council also has a role to adopt decisions amending or supplementing the TCA, for example, where necessary to correct errors. The Partnership Council can also make recommendations regarding the transfer of personal data (p.11; Art.INST.1: Partnership Council). If discussion at the Council is not sufficient, then there is a disputes provision, which provides for arbitration for most disputes (but not all – for example, law enforcement related matters are carved out from this).

The TCA sets out how the EU and the UK relate to each other. However, it is not intended to confer rights or obligations on persons other than the parties to the TCA itself, nor to be capable of being invoked directly in domestic legal systems. Accordingly, practitioners are best seeing it is a backdrop to other laws and commitments.