EU leaders have signed off the withdrawal agreement between the UK and the EU, as well as the political declaration on the framework for the future relationship between the UK and the EU. The political declaration is an outline of what a future EU-UK trade agreement might look like. But the trade agreement has yet to be negotiated and that process won't start until the UK has left the EU on 29th March 2019. If negotiations are quick (and successful) then the intention is that the future trade agreement between the EU and the UK would come into force at the end of the transition period (31st December 2020, but the transition period could be extended).
Next month the withdrawal agreement and the framework for the future EU-UK relationship will be put to the UK Parliament (likely on the 12th December), which will vote on whether to approve them. At the moment, the Parliamentary arithmetic looks worrying for Theresa May. If Parliament votes the deal down then the UK looks to be heading for a constitutional crisis. But we're not there yet, and the Prime Minister is doing her utmost to convince MPs and the public to back the deal. She has also staved off a potential vote of no confidence by Brexit supporting MPs in her own party, unhappy with the withdrawal agreement and the political declaration.
At the same time, the Court of Justice of the European Union is to hear a case on 27th November on the question of whether under Article 50 of the Treaty on European Union, a Member State which has given notice of its intention to withdraw from the EU can unilaterally revoke that notice.
What do the withdrawal treaty and the framework for the future relationship mean for data protection?
If the deal is secured then data flows between the UK and the EU (as well as the rest of the world) continue as normal between the UK's departure from the EU (29th March 2019) and the end of the transition period (ie until 31st December 2020, unless this period is extended).
For the future relationship (i.e. after the transition period), the intention as set out in the political declaration is that data transfers should take place on the basis of an adequacy decision. An adequacy decision means that the European Commission has determined that a country offers an adequate level of data protection, taking into account its domestic legislation and international commitments. This enables personal data to flow freely from the EU to that country. Examples of countries which already benefit from an adequacy decision include Argentina, New Zealand, Canada, and the US (for transfers made to organisations that have certified compliance with the EU-US Privacy Shield).
The EU will endeavour to adopt an adequacy decision in relation to the UK by the end of 2020 (i.e., the end of the transition period). The UK will follow the same timetable in order to ensure that a reciprocal mechanism is in place at the end of the transition period for data transfers from the UK to the EU. So if all goes to plan (and at the moment it's still a big "if") then, on a practical level, transfers between the EU and UK will continue more-or-less as normal both during, and after, the transition period.
What new texts have been published since our last post?
The political declaration on the future relationship between the UK and EU has been published in full (previously all that had been published was an outline). There is little further detail compared with that outline. The main point of interest is that the text confirms that the adequacy assessment for the UK will start as soon as possible after the UK withdraws from the EU (at 11pm on 29th March 2019). The previous text had no timeline for the start of the adequacy process.
There is an interesting sentence in the political declaration about the future relationship not affecting the Parties' autonomy over their respective data protection rules. This likely points to the fact that the UK wants to establish that it doesn't have to follow every word of EU data protection law in order to achieve adequacy (underlining that other third countries are not required to do so).
The vague reference to appropriate cooperation between regulators, as was set out in the previously published outline to the future relationship, is also reflected in the final text.
Again, this all looks good from a data protection perspective. But as we said in our previous post, nobody can predict exactly what is going to happen next. We'll keep you updated.