The Draft Withdrawal Agreement and Political Declaration: Implications for Data Protection, by Karen Mc Cullagh

Résumé: Ce post analyse le projet d’accord de retrait du Royaume-Uni de l’Union européenne ainsi que la déclaration politique sur les relations futures qui l’accompagne tels qu’ils ont été adoptés par les négociateurs le 14 novembre 2018. Ce paquet doit encore être approuvé par le Conseil européen du 25 novembre et ensuite par le  Parlement britannique, ce qui est loin d’être acquis. Ces documents comportent une feuille de route pour faciliter le transfert des données personnelles entre l’Union européenne et le Royaume-Uni. Le projet précise que durant la période de transition le droit de la protection des données personnelles de l’Union européenne continuera à s’appliquer au Royaume-Uni. Il n’y aura donc pas d’immédiates restrictions aux transferts de données personnelles entre l’espace économique européen et le Royaume-Uni, lorsque ce dernier quittera l’Union le 29 mars 2019. La CJUE continuera d’être compétente pour l’interprétation du droit de la protection des données susceptibles de se poser devant les juridictions britanniques durant cette période de transition. En revanche, l’ICO, l’autorité de contrôle britannique, perdra sa qualité de membre du Comité européen de la Protection des données (CEPD). Il bénéficiera du statut d’observateur afin de pouvoir participer sans droit de vote aux réunions lorsqu’il y sera invité. Cela signifie que les responsables de traitement britanniques ne pourront plus bénéficier du mécanisme du guichet unique auprès de l’ICO. En outre, le Royaume-Uni ne pourra plus influencer sur l’élaboration des lignes directrices du CEPD. Enfin, la déclaration politique précise que le Royaume-Uni cherchera pendant la période de transition à négocier avec la Commission européenne l’adoption d’une décision d’adéquation pour sécuriser les transferts à partir du 1er janvier 2021. L’adoption d’une telle décision d’adéquation devrait vraisemblablement nécessiter une révision de l’Investigary Act 2016 relatif à la surveillance étatique. Le projet d’accord a été salué avec prudence par les milieux économiques car il est susceptible d’améliorer la sécurité juridique des transferts durant la période transitoire. Toutefois, le risque d’un « no deal » reste élevé. Aussi, la plupart des organismes mettant en œuvre des traitements entre l’UE et le Royaume-Uni continuent à s’appuyer sur l’élaboration de règles d’entreprises contraignantes et de clauses contractuelles.

Introduction

This blog post discusses the data protection measures in the draft Withdrawal Agreement on the withdrawal of the UK from the EU and accompanying outline Political Declaration on the Future relationship. Although the texts are in draft form and subject to approval by the UK Parliament and EU member states (which is far from certain to be forthcoming, in the UK at least), they set out a roadmap for post-withdrawal EU-UK personal data transfers. In brief, the draft Withdrawal Agreement provides that EU data protection law will continue to apply generally in the UK during the transition period, meaning there will be no immediate restriction of data transfers from the EEA to the UK when the UK leaves the European Union on 29th March 2019. The accompanying Political Declaration indicates an intention on the part of UK government to seek an adequacy decision from the European Commission during the transition period to address EU-UK data transfers from 1st January 2021. It also contains provisions for the on-going application of EU data protection law after that date, which may avoid some data transfer restrictions if an adequacy decision is not obtained during the transition period. In short, it provides a framework for ensuring personal data transfers continue unimpeded – provided the UK takes steps to secure a finding of adequacy by the European Commission. Whilst these elements are positive, the UK will, however, cease to participate in the European Data Protection Board and the so-called one-stop-shop procedures of the GDPR – reducing the UK’s ability to influence future development of EU data protection law, and increasing compliance costs for UK established businesses.

Overview of the draft Withdrawal Agreement and Political Declaration

Following a UK Cabinet meeting on 14th November 2018, the UK Government announced support for and published the text of a draft Withdrawal Agreement (which reflects the in principle agreement between the UK and EU negotiating teams on the full legal text) and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators (which sets out progress on the scope of the framework for the future relationship. Negotiations are on-going to finalise this Declaration). On 25th November 2018, at a special European Council meeting, the texts of the Withdrawal Agreement and Political Declaration will be finalised and approved on the basis of a qualified majority vote.[1] The UK government will then lay the final version of the Withdrawal Agreement before Parliament, as it will need implementation in domestic law through primary legislation to be given legal effect. This outcome is by no means assured as it remains to be seen whether it will survive debate and votes in the UK parliament.[2]

The draft Withdrawal Agreement does not address the future trading relationship between the EU and UK once the transition period ends. That is subject to further negotiation between the parties. Instead, the Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29th March 2019 and includes a transition period (which the UK refers to as an « implementation period ») which will last until 31st December 2020 (or until 2022 at the latest by joint agreement),[3] during which EU data protection law will continue to apply in and to the UK (Art 127).

The draft Withdrawal Agreement is accompanied by an outline Political Declaration that sets out a vision for the future, including positions of intent in relation to the free flow of personal data, and a commitment to a high level of data protection. It indicates willingness on the part of the European Commission to commence an adequacy assessment during the transition period with the aim of securing an adequacy finding by the end of 2020 i.e. by the end of the anticipated transition period. The EU had previously contended that an adequacy assessment could not commence until the UK became a third country, so this announcement constitutes a notable concession by the EU – one that will be welcomed by businesses. The outline political declaration also states that the UK will put in place a mechanism to ensure a free flow of data from the UK to the EU. It further mentions an intention to have « appropriate cooperation between regulators ». Taken together, these documents confirm a commitment by the UK to maintaining GDPR standards post-withdrawal, which is welcome news for international businesses seeking certainty, consistency and continuity in the measures they have to take to protect personal data. It should reassurance to individuals that data protection measures will remain robust after the UK leaves the EU.

Overview of key provisions

The GDPR and related laws (i.e. the Law Enforcement Directive 2016/680, and the Privacy and Electronic Communications Directive 2002/58/EC) will continue to apply in and to the UK in relation to personal data processed during the transition period (Art 71), thereby ensuring that there will be no restrictions on personal data transfers between the EU and UK during the transition period. Equally, EU member states agree not to treat data received from the UK during the transition period differently to data received from EU member states solely on the basis that the UK has left the EU. (Art 73). The CJEU will continue to have jurisdiction to settle questions of interpretation raised by the UK courts regarding data protection law and the UK will abide by CJEU decisions during the transition period. (Art 129)

The draft Withdrawal Agreement provides that:

“Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data (a) were processed in accordance with Union law in the Union Kingdom before the end of the transition period; or (b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.” Article 71(1)

When read in conjunction with a comments in a speech by Emma Bate, General Counsel for the Information Commissioner’s Office (ICO):

« … you may be interested to hear the current [ICO] thinking regarding transfers. We have moved away from pure geographical considerations. A transfer of data outside the EEA is not restricted by Chapter V of the GDPR if the data, when held by the non-EEA recipient, is still protected by the extra-territorial scope provisions of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies, so this is not a transfer outside of the protection of the GDPR.” (Emma Bate, Counsel, ICO, 5RB Conference Speech, 26 September 2018)

The ICO’s view is that data transfer restrictions under the GDPR do not apply where the recipient of personal data is directly bound by the GDPR, i.e. covered by the “GDPR-envelope”. This approach could have positive implications for international transfers of data from the UK after it leaves the EEA and becomes a “third country, in that personal data could be transferred within a “GDPR-envelope.” Significantly, the “GDPR-envelope” would apply only to personal data processed in the UK during the transition period, (Art 71 (a)) or personal data which continue to be processed in the UK in reliance on these arrangements after the transition period ends (Art 71 (b)) because it is anticipated that the “GDPR-envelope” would be superseded by an adequacy decision, which should be in place by the end of the transition period (Art 71(2)). In effect, Art 71(b) creates a backstop to ensure that EU residents’ personal data does not lose GDPR protection once the transition period ends if an adequacy decision is not in place by then.

It remains to be seen whether this “GDPR envelope” will be reflected in the EDPB’s guidance on territorial scope and data transfers. The prospect of UK based data controllers being able to continue to receive personal data from EEA countries during the transition period without needing to put in place Chapter V transfer mechanisms (e.g. model clauses or binding corporate rules, or rely one of the derogations), has been welcomed by some data protection experts because “it could only have the effect of making transfers easier.” (Jon Baines, Mischon de Reya, quoted in Global Data Review Blog, 12 October 2018). However, other data protection experts have reacted with concern to the “GDPR-envelope” interpretation on the basis that it would allow the UK to temporarily avoid compliance with the Schrems criteria e.g. fundamental rights compliant limits on surveillance. These critics have noted that although the “GDPR-envelope” in the withdrawal agreement would be justiciable by the CJEU, the transition period would likely have concluded by the time a complaint was heard.

In my view, whilst it would be better to insist that UK data controllers rely on Chapter V GDPR mechanisms such as contracts and derogations during the transition phase, the reality is that drafting and implementation of such measures e.g. contractual arrangements would be a costly and time consuming exercise that would unfairly penalise small and medium sized enterprises, causing harm to both the EU and UK economies, which both parties are keen to avoid. The pragmatic ‘fudge’ minimises economic harm by ensuring that EU-UK personal data transfers continue unimpeded during the transition period, and is acceptable because it will be a temporary arrangement as the UK will still be obliged to inter alia amend provisions in the Investigatory Powers Act 2016 in order to secure finding of adequacy by the European Commission by the end of the transition period.

Prospects of a obtaining & retaining an adequacy decision

Securing an adequacy decision will be vital to ensuring the unimpeded personal data between the EU and the UK once the transition period comes to an end. The EU has made a significant, positive concession in indicating a willingness to commence the adequacy assessment process during the transition phase with the aim of having one in place by the end 2020 i.e. the end of the transition period. This would minimise disruption to EU-UK personal data transfers. There is, however, no guarantee that the UK will obtain an adequacy decision from the European Commission because of inter alia provisions in the Investigatory Powers Act 2016, concerning the retention of communications data and the bulk collection and retention powers of the UK surveillance services are likely to be an obstacle to an adequacy finding. Until such time as these provisions are amended, a finding of adequacy is not likely to be forthcoming.

If the UK were to secure an adequacy decision and then seek, in the future, to diverge significantly from EU standards, it could jeopardise renewal of an adequacy decision. Consequently, Article 71(3) creates a backstop in the event of a finding of adequacy being withdrawn or revoked – it commits the UK to ensuring a level of protection of personal data “essentially equivalent” to that under in the GDPR in respect of EEA residents’ personal data. (Art 71 (3)) Thus, until such times when the EU ceases to the UK’s largest trading partner, (which is not forecast to change in coming decades) UK data protection law is likely to maintain close alignment with EU data protection law.

EDPB membership & participation in the One stop Shop mechanism

The UK’s Information Commissioner’s Office (ICO) involvement and influence in regulatory co-operation mechanisms will, however, be significantly reduced when the UK leaves the EU because Article 70 of the draft withdrawal agreement specifically excludes the application of Chapter VII of the GDPR during the transition period. Chapter VII is concerned with the rules governing co-operation between supervisory authorities and their involvement with the EDPB. Unsurprisingly, Article 128(5) of the Withdrawal Agreement grants the ICO (the UK’s national data protection supervisory authority) the right to attend (by invitation only) meetings of the EDPB in certain circumstances. As an ‘observer’ the ICO will not have a right to vote in such meetings, so will lose its ability to directly influence the development if data protection in the EU. In addition, organizations will not be permitted to designate the UK ICO as lead authority for GDPR purposes. This will impact negatively on businesses operating in both the UK and the EEA as it will leave them facing parallel proceedings in the UK and the EEA, thereby increasing their compliance burden.

Concluding remarks

The provisions concerning data protection in the draft Withdrawal Agreement have been cautiously welcomed by business because they provide a degree of regulatory certainty during the transition period. However, it remains to be seen whether the UK parliament will agree to support and implement the draft Withdrawal Agreement, in which case the risk of a “no deal” remains high. Given this uncertainty, organisations that rely upon cross-border transfers of data between the EEA and UK should continue to make contingency plans such as preparing to execute model standard contractual clauses to ensure that EEA-UK personal data transfers are not halted in the event of a “no deal” scenario.

Dr Karen Mc Cullagh, Lecturer in Law, University of East Anglia, k.mccullagh@uea.ac.uk

[1] The deal will also have to pass through the European Parliament.

[2] The first vote by the UK Parliament is expected within two weeks of the European Council on 25th November 2018.

[3] Article 129 provides that the Joint Committee (i.e. UK and EU representatives deciding jointly) can agree to extend the transition period at any time before 1 July 2020 (i.e. 6 months before the end of the transition period).

 

Read the other contributions of Karen Mc Cullagh on blogdroiteuropeen:

Laisser un commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion /  Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion /  Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.