TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Potential Brexit deal reached; data transfers remain, for now Related reading: IAPP FAQs: What does the CJEU's 'Schrems II' case mean for data transfers?




More than three years after the U.K. voted in a referendum to leave the EU, a proposed Brexit deal is on the table just weeks ahead of an Oct. 31 deadline. U.K. Prime Minister Boris Johnson said it is a "great new deal" and that the U.K. Parliament will vote on it this Saturday, Oct. 19.

European Commission President Jean-Claude Juncker confirmed a deal had been reached but added, "I am happy about the deal, but I am sad about Brexit." 

The draft text of the deal released Thursday includes a section near the top on data protection, stating, "In view of the importance of data flows and exchanges across the future relationship, the Parties are committed to ensuring a high level of personal data protection to facilitate such flows between them."

The deal also includes language that mentions adequacy: "On the basis of this framework, the European Commission will start the assessments with respect to the United Kingdom as soon as possible after the United Kingdom's withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met. Noting that the United Kingdom will be establishing its own international transfer regime, the United Kingdom will in the same [time frame] take steps to ensure the comparable facilitation of transfers of personal data to the Union, if the applicable conditions are met."

The status of Brexit and its potential effect on data transfers between the U.K. and EU has long been uncertain. Many companies employ standard contractual clauses, and some have incorporated the more onerous binding corporate rules to facilitate legal data transfers, though SCCs are currently under scrutiny in a court case now in front of the Court of Justice of the European Union.

"The revised political declaration does not make any changes to the previous data protection provisions," Bird & Bird Partner Ruth Boardman said in emailed comments to the IAPP. "Data protection remains a priority, addressed right at the beginning of the declaration. There is a commitment on both sides to try to ensure free flows of data as long as the appropriate conditions are met and to provide for cooperation between regulators. There is an objective to achieve this by the end of 2020." 

Jeroen Terstegge, CIPP/E, CIPP/US, the IAPP's country leader for the Netherlands and of Privacy Management Partners, has also been following the negotiations closely, noting that the transition period has thus far survived. "To be clear," he said in comments to the IAPP, "Article 67 (1)(b) of the original Withdrawal Agreement will apply under today's deal. So the [EU General Data Protection Regulation] will continue to apply ... in the U.K. Ergo, international data transfers from the EU to the U.K. may continue for now." 

Terstegge also pointed out that former U.K. Prime Minister Theresa May's deal placed the transition period for the GDPR until Dec. 31, 2020. "However, today's deal does not move the end of the transition period. So, the transition period for the GDPR has effectively been shortened to 14 months." 

The political realities of the deal are far from clear right now. Hogan Lovells Partner Eduardo Ustaran, CIPP/E, is skeptical that the deal will pass. "First of all," he said, "there is no certainty that this deal will be approved by the U.K. parliament given that in essence it seeks to weaken the relationship between the U.K. and EU." And that relationship, he pointed out in his comments to the IAPP, could affect the U.K.'s adequacy standing. "Although during the transition period, it will be business as usual on data flows," he said, "that softer relationship makes an adequacy finding less certain." 

Reaction to the proposed agreement has been rapidly developing throughout Thursday, and it's not clear the deal will pass the U.K. Parliament this Saturday. According to the Financial Times, the deal is expected to receive the backing of all 27 European Union member states, but Johnson "faces an uphill struggle to pass" the deal in the U.K. after Northern Ireland's Democratic Unionist Party "denounced" it.  

The DUP comprises 10 members of Parliament. In a statement Thursday, the DUP said, "These proposals are not, in our view, beneficial to the economic well-being of Northern Ireland and the integrity of the Union" and that the group is "unable to support these proposals in Parliament." Unsurprisingly, the opposition Labour Party has also declared it will not support the deal, calling it "even worse than [former U.K. Prime Minister] Theresa May's" deal. 

On the EU side, Juncker said there will not be a further extension to the Brexit process ahead of the Oct. 31 deadline. 

The parliamentary vote this Saturday will be crucial to the future of Brexit. Bird & Bird's Ruth Boardman noted, "It remains to be seen if the U.K. Parliament will vote to accept the deal this Saturday. If it doesn't, then a no-deal Brexit — with immediate disruption to data transfers to the U.K. — could result." 

Photo by King's Church International on Unsplash

Credits: 1

Submit for CPEs

1 Comment

If you want to comment on this post, you need to login.

  • comment Christopher Schmidt • Oct 18, 2019
    I beg to differ. According to the article, Jeroen Terstegge took the view that pursuant to Art. 67(1)(b) of the Withdrawal Agreement, the GDPR "will continue to apply". However, this Art. only refers to legal proceedings instituted BEFORE the end of the transition period. Also, 67(1)(b) only refers to the GDPR's "provisions regarding jurisdiction". Instead, Artt. 70, 71 of the WithdrawalAgreement lead to the applicability of GDPR/LED to the processing of personal data of data subjects outside the UK, provided that ... Have a look at the aforementioned provisions at