Data Protection and Brexit – Prospects for UK Adequacy

David Smith

Last week, the UK Parliament passed the European Union (Withdrawal Agreement) Bill (see our recent publication regarding the key provisions of the Bill). Following Royal Assent, the European Union (Withdrawal Agreement) Act 2020 now gives effect, in the UK, to the EU Withdrawal Agreement, as negotiated with the EU and including the transition period to 31 December 2020. In addition to our blog clarifying some of the key positions during the transition period, here we consider the prospect of the UK being granted “adequacy” status by the EU, so permitting the continued cross-border transfer of personal data to and from the EU at the end of the transition period.

The year started with a disappointing comment from the European Data Protection Supervisor, Wojciech Wiewiórowski, who was reported as saying that the UK may have to wait before negotiations can start on a new data deal following Brexit, that the UK is “13th in the row” of countries seeking to strike a new deal and that allowing the UK to move ahead of the line “would be a little bit unfair towards those who have already prepared themselves for this process.” This echoes remarks made by his predecessor, Giovanni Buttarelli, along similar lines. However the EDPS does not participate directly in adequacy discussions. The process will be run, and negotiations conducted, by the European Commission rather than by the EDPS. Furthermore, Wiewiórowski’s remarks are hard to reconcile with the wording of the Political Declaration that accompanies the Withdrawal Agreement. This clearly commits the European Commission to starting its assessment of the UK’s adequacy, “as soon as possible after the United Kingdom’s withdrawal, endeavouring to adopt decisions by the end of 2020, if the applicable conditions are met.”

Better news has come from the European Commission’s own ad hoc Working Party on Article 50 (UK Brexit) confirming that UK adequacy for data transfers could be resolved by the end of 2020 if the requirements are fulfilled. Encouragingly, slides published show that The Task Force for Relations with the UK has already held internal preparatory discussions on a range of matters impacting on the EU’s future relationship with the UK including on personal data protection. The published slides do though remind us that the necessary steps for arriving at an adequacy decision include:

  • An assessment by the Commission, in close cooperation with the UK
  • A draft European Commission decision
  • An Opinion by European Data Protection Board (in which the EDPS participates as a member)
  • A vote by Member States in the Standing Committee
  • Adoption by the College of European Commissioners.

It is not impossible for all these steps to be completed in the 11 months between Exit Day (31 January 2020) and the end of the transition period but it is undoubtedly an ambitious target. In previous adequacy cases some of these steps have, on their own, taken more than a year to get through.

Of course, the UK starts from a strong position in that its data protection laws are already directly aligned with those of the EU. This should certainly simplify the Commission’s assessment of adequacy. Recent remarks by the Chancellor, Sajid Javid, stating that following Brexit there will not, in general terms, be alignment with EU regulation and that the UK “will not be a rule taker” may have caused some worries but adequacy does not require the UK’s data protection rules to be precisely aligned with those of the EU. There will be scope for divergence in the future provided that the outcomes in the UK, when measured  in terms of protection for individuals, remain equivalent to those in the EU.

As well as suggesting that the UK might have to join a queue, the EDPS pointed to how British intelligence agencies handle personal data collected in the EU as an area of concern moving forward. In an earlier blog I discussed whether surveillance activities of public authorities in the UK might stand in the way of an adequacy finding for the UK. Here, I pointed to the significance of the UK remaining a party to the European Convention on Human Rights (ECHR) and within the jurisdiction of the European Court of Human Rights. This means that, regardless of Brexit, the UK’s surveillance regime will still have to satisfy basic human rights requirements and will continue to be open to external legal challenge if it does not. The UK’s case for adequacy was therefore given a further boost by the recent Opinion of the Advocate General (AG) of the CJEU in the Schrems 2 case. In discussing adequacy findings, albeit in the context of the US Privacy Shield, the AG suggested that as EU law does not apply to national measures that are directly implemented by the state for the protection of national security without the assistance of private operators, the ECHR is indeed the relevant framework for evaluating whether such measures pose a barrier to an adequacy finding for the state in question.

Although there are some encouraging signs, it will nevertheless be challenging, to say the least, for the European Commission to deliver a signed and sealed adequacy decision for the UK before the end of 2020. Perhaps, if the process is well on the way, it might be possible to find some compromise that will mean that unrestricted data flows can continue pending the final decision. Whilst it is difficult to see what such a compromise solution could be it would amount to a regrettable and unnecessary triumph of procedure over pragmatism if personal data flows to the UK are indeed impeded after 31st December despite personal data being no less well protected in the UK on the day after the transition period has ended than they were when the GDPR still applied.