The withdrawal agreement and data protection
This is an update to our earlier post on Brexit. It discusses the publication of the draft withdrawal agreement, following the UK government's announcement that it has reached a tentative deal with the EU.
As I write it is not at all clear what the next few hours, let alone weeks, will bring and whether Theresa May's withdrawal agreement will survive. However, it's worth setting out what the text does in relation to data protection.
In brief, the withdrawal agreement seeks to ensure that there will be no disruption to data flows between the UK and the EU post Brexit.
The transition period
During the period immediately after the UK leaves the EU on 29th March 2019, but before the treaty governing the future relationship between the EU and the UK comes into force, EU law (including data protection law) will continue to apply to the UK. This is the period which the withdrawal agreement terms the "transition period ", but which the UK calls the "implementation period" (they are in fact the same thing). It's not clear how long the transition period will last. The withdrawal agreement provides for it to be extended to a date which is as yet unknown. This is a helpful addition to the text compared to the version published in March, and removes the potential "cliff edge" the UK was facing at the end of 2020 if the future relationship had not yet been agreed.
During the transition period the UK loses its seat at the table in the European Data Protection Board ("EDPB"). But that doesn't necessarily mean that all the provisions which have a link to the EDPB fall away. So, for example, it's not clear how the one stop shop will work during the transition period. Just because the UK Information Commissioner loses her seat at the table doesn't necessarily mean that the entire one stop shop mechanism simply won't apply to the UK. If that were the case it would undermine the central policy of the transition period, which is to maintain consistency as between the regimes in the UK and the EU. The detail of how all this will work in practice is still very unclear. We may have a better sense once the EU (Withdrawal Agreement) Bill is published.
For the future relationship, the UK is seeking an adequacy decision as the basis for the transfer of data from the EU to the UK. The outline of the political declaration on the future relationship which has been published alongside the draft withdrawal agreement says that the EU will "endeavour" to adopt an adequacy decision in relation to the UK by the end of the transition period. The UK will also be seeking to put in place a mechanism which will ensure a free flow of data from the UK to the EU.
The political declaration on the future relationship also mentions (in vague terms) an intention to have "appropriate cooperation between regulators".
There is also a safety net in the withdrawal agreement in case the seamless transition doesn't happen (i.e., if the UK doesn't get an adequacy decision at the end of the transition period). But it's worth noting that the safety net doesn't contain a mechanism for transfers or set out how future data flows will take place after the transition period. It simply guarantees that (in effect) EU citizens' data processed in the UK before the end of the transition period will continue to be protected in accordance with EU data protection law. Data of EU citizens processed under the withdrawal agreement after the transition period (for example, in relation to the provisions on citizens' rights) will also be similarly protected. A parallel provision exists for UK personal data in the EU, which will be given the same protection as is accorded to data obtained from a Member State.
In summary, this all looks reassuring. In reality, nobody has any idea how this is all going to play out. We will keep you posted as events unfold.