Christopher Knight, of 11KBW, provides an instant look at what the proposed Withdrawal Agreement may mean for data protection and privacy regulation. First published on the Panopticon blog.
Panopticon has generally avoided venturing too far into Brexit-related updates: there has invariably been very little by way of actual facts to comment on (not that that has stopped people). But 14 November 2018 does mark something of a landmark, even if by the time you read this it may well all have collapsed like a particularly badly made soufflé. By the time you watch the repeat on Dave it may look like a legal history article. Here goes nothing…
The 14 November saw HM Government publish the draft text of the Withdrawal Agreement. That includes, in its near 600 pages, some provision for the application of data protection law. It is intended to apply to govern the legal framework after the expiry of the transition period: during the transition (which runs until 2020) EU law continues to apply in full (see Article 126).
Applying to the GDPR, the Law Enforcement Directive and the e-Privacy Directive, Article 71 provides that EU data protection law applies in the UK to govern the processing of data subjects outside the UK (an important limitation), where the data was processed under EU law before the end of transition or where it is processed after transition under the Withdrawal Agreement. Those rules do not apply to extent that processing is covered by an adequacy decision of the Commission: Article 71(2). And if an adequacy decision ceases to apply, the UK will ensure an essentially equivalent level of protection: Article 71(3). (Interestingly, at least to some, Ch VII GDPR is not included in the definition of EU data protection law which will continue to apply, which is the bit no-one reads about co-operation between regulators.)
This is not a commitment to maintain the full force of the GDPR in the UK after transition. It is a recognition that the UK will become a third State, and cannot be required to apply the GDPR (etc) to wholly internal situations of processing by the EU. Rather, continued transitional provision is made for processing which was subject to EU law before and continues after the end of the transition period. (Much the same approach is applied to the legislation on jurisdiction and choice of law.)
Interestingly, Article 71(2) appears to contemplate an adequacy decision for the UK, although to be fair, Article 71(3) also contemplates it being lost again. But published just the day before, on 13 November, was a memo from the Commission to the EU institutions on its contingency planning for a no deal Brexit (still a very real possibility). At p.11, the Commission states that an adequacy decision is not part of its no deal planning. It proclaims to be content to rely on the existing toolbox for third country transfers contained in the GDPR. Anyone who has actually had to put together binding corporate rules, tried to fit the (inexplicably and incompetently not updated) standard contractual clauses to their processing or sought in vain for a derogation may be less blasé. Doubtless playing on this lack of welcome for relying solely on the ‘toolbox’ is part of the Commission’s aim for encouraging the UK away from no deal.
Published alongside the Withdrawal Agreement is a very bullet point form of the Outline of the Political Declaration, i.e. what the EU and UK plan to negotiate towards during the transition period. Right up top is a “Commitment to a high level of personal data protection” (whatever that means) and an apparent agreement of the Commission to aim to work towards an adequacy decision to be in place before the end of transition. That seems to be mean that:
It is important to remember that to a very considerable extent the Withdrawal Agreement is pushing at an open door – at least in the short term. Sections 2-4 of the European Union (Withdrawal) Act 2018 operate to preserve the effect of the data protection legislation in domestic law in any event, and of course the Data Protection Act 2018 applies the EU-derived regimes without regard to Brexit. But after Brexit, the UK has the theoretical right to alter how it implements data protection law, and the Withdrawal Agreement is intended to place some limitations on the extent to which the UK is able to do so. Article 71(3), for example, would prevent the wholesale repeal without replacement of Parts 1-3 of the DPA 2018, but it would not prevent some tinkering around the edges.
The Withdrawal Agreement itself will need implementation in domestic law through primary legislation to be given legal effect, which is by no means assured. But in relation to data protection at least – and far more vexed areas exist – its approach is essentially consistent with existing UK legislation enacted by Parliament, both generally in the form of the Withdrawal Act and specifically in the form of the DPA.
This article first appeared on the Panopticon blog.