After much “will they won’t they” wrangling, the UK and EU agreed a trade and cooperation agreement with effect from 1 January 2020. While it will by no means match the level of economic integration that existed while the UK was an EU member state, the agreement goes beyond traditional free trade agreements and according to the EU, “provides a solid basis for preserving our longstanding friendship and cooperation”.
Much has been made in the press of the fact that certain agreements were copied and pasted from previous agreements with references to old technology such as Netscape, but there are key elements of interest to tech lawyers including an extension of the transition period for personal data and a chapter on digital trade.
Data transfers
The agreement includes a commitment by the EU and UK to uphold high levels of data protection standards. In principle, where personal information is transferred, the transferring party shall respect its rules on international transfers of personal data.
For law enforcement and judicial cooperation, high levels of data protection standards are essential. These are to be ascertained by adequacy decisions taken unilaterally by each side. On the EU side, this means decisions attesting that UK standards are essentially equivalent to the EU standards set out in the EU’s GDPR and Law Enforcement Directive, and that they respect EU case law.
The European Commission says that it has been intensively working on its adequacy decisions for the UK since March. Once it is satisfied with the information received, the Commission will launch the adoption process without delay. The adoption of each adequacy decision requires an opinion from the European Data Protection Board and the green light from member states (as part of a comitology procedure).
Therefore, the EU has not (yet) granted the UK adequacy status. However the trade agreement will have the effect of extending the transitional arrangements for four months (which may be extended again by a further two months), as long as the UK does not change data protection legislation in the meantime,
Digital trade
The agreement contains provisions aimed at facilitating digital trade, by addressing unjustified barriers, and ensuring an open, secure and trustworthy online environment for businesses and consumers, along with high standards of personal data protection. It prohibits data localisation requirements, while preserving the EU’s policy space regarding the protection of personal data.
The agreement also bans the imposition of customs duties on electronic transmissions. In addition, the EU and UK may not require that authorisation is provided before a service being provided, just because it is provided online, except for broadcasting and gambling. The UK and EU must provide that contracts may be entered into electronically and must enable electronic contracts (with certain exceptions such as witnessing in person). Denying the legal effect and admissibility as evidence in legal proceedings of an electronic document, signature, seal or time stamp, is prohibited. With a number of exceptions (for example voluntary transfers or the protection of intellectual property) the UK and EU cannot require the transfer of, or access to, the source code of software. Both the UK and the EU must adopt and maintain means of protecting consumers in e-commerce transactions including providing information and ensuring effective means of redress. The UK and the EU also underline their commitment to ensuring that direct marketing communications are sent only to those who have consented to receive them. Although the EU and the UK may decide for themselves if they want to make government data free to access by the public, if they do they should aim to make it easily searchable and regularly updated. The UK and the EU have also committed to cooperate to consider whether data could be used to enhanced commercial opportunities. They will also cooperate on regulatory issues.
Cybersecurity
The agreement sets out a number of initiatives between the EU and the UK including a regular dialogue on cybersecurity, and cooperative actions at international level to strengthen global and third countries’ cyber-resilience.
The EU and the UK have also agreed to exchange best practices and actions aimed at promoting and protecting an open, free, and secure cyberspace. Subject to an invitation by the relevant EU authorities, these actions include the possibility for the UK, to:
- cooperate with the EU Computer Emergency Response Team (CERT-EU) to exchange information on cyber-related tools and methods;
- participate in activities conducted by the Cooperation Group established by Directive (EU) 2016/1148, related to capacity building, security-related exercises, risk and incident-related best practices, awareness raising, education and training, and research and development;
- participate in certain activities of the EU Cybersecurity Agency (ENISA) related to capacity building, knowledge and information, and awareness-raising and education.
