The U.K. government has published a draft text of the withdrawal agreement concerning the U.K.’s exit from — and future relationship with — the European Union.
The withdrawal agreement confirms that once the U.K. leaves the EU there will be a transition period lasting until Dec. 31, 2020. The EU has an option to extend this transition period. As a general rule, EU law will apply in the U.K. during the transition period, although the withdrawal agreement does provide for some exceptions.
During the transition period, the institutions, bodies, offices and agencies of the EU will continue to have jurisdiction, as will the Court of Justice of the European Union.
Outline of political declaration
The negotiators of the European Commission and the U.K. have agreed on an "Outline of the political declaration setting out the framework for the future relationship between the European Union and the United Kingdom," which reaffirms the U.K.’s commitment to a high level of data protection during and after Brexit, and supplements the provisions in the withdrawal agreement.
Data protection provisions
The transition period
The withdrawal agreement sets out the U.K.’s position regarding data protection during the transition period. In particular, it provides that:
- The General Data Protection Regulation 2016/679 and the Privacy and Electronic Communications Directive 2002/58/EC will continue to apply to the U.K. in relation to personal data processed before or during the transition period, and to personal data processed after the end of the transition period but on the basis of the withdrawal agreement.
- The above legislation will not apply in situations where data is processed in accordance with an adequacy decision.
- After the end of the transition period or if an adequacy decision is revoked, the U.K. is theoretically free to protect only the personal data of U.K. citizens. The U.K. agrees, however, to ensure that the data of non-U.K. citizens will continue to be protected in accordance with GDPR standards, provided the data was being processed prior to the end of the transition period.
- The EU agrees not to treat data received from the U.K. during the transition period differently than data received from EU member states solely on the basis that the U.K. has left the EU.
Adequacy decisions by the UK
The withdrawal agreement permits the U.K. to “negotiate, sign and ratify international agreements entered into in its own capacity in the areas of exclusive competence of the Union, provided those agreements do not enter into force or apply during the transition period, unless so authorized by the Union.”
In our opinion, this enables the U.K. to develop adequacy decisions during the transition period to support the future free flow of data outside the U.K. post-transition. This is likely to result in the recognition of the EU-U.S. Privacy Shield as providing adequacy and to permit those with binding corporate rules approved by the Information Commissioner’s Office to still transfer data.
The political declaration outline reaffirms the U.K.’s commitment to the European Convention on Human Rights and the Union’s and its member states’ commitment to the Charter of Fundamental Rights of the Union. This means that the U.K. will remain a part of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (known as Convention 108), and transfers of data under this treaty mechanism will be deemed adequate. However, it should be noted that such transfers are limited to automatically processed data.
EU adequacy decision for the UK
There is no guarantee in the withdrawal agreement that the U.K. will benefit from a future EU adequacy decision. Further, the withdrawal agreement does not mention the assessment to be undertaken in order to determine adequacy for the U.K.
The only mention of a U.K. adequacy decision assessment is in the political declaration outline, which states that the European Commission will commence its assessment and endeavor to adopt decisions by the end of 2020.
This reiterates the view that adequacy will need to be negotiated separately alongside other future trading positions, so there is no clarity on where data transfers will end up after the transition period.
There are many questions that have been left unanswered by this withdrawal agreement. The main question that organizations will have is how transfers of personal data from the EU to the U.K. will be conducted in the absence of an adequacy agreement. Unfortunately, this uncertainty will remain until approval of the withdrawal agreement and negotiation of any future trading relationship between the U.K. and EU.
If you want to comment on this post, you need to login.