In a written statement to Parliament, Baroness Neville-Rolfe confirmed the UK Government’s view that the Treaty on the Functioning of the European Union (“TFEU”) means that Article 48 of the GDPR does not apply to the UK. Article 48 of the GDPR states that any judgment or tribunal decision – or decision of an administrative authority – requiring the transfer of personal data to a third (i.e., non-EU) country may only be recognised or enforceable if based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third country and the EU member state in question.
Article 48 (formerly Article 43a) came to be known as the “anti-FISA” clause (FISA is the U.S. Foreign Intelligence Surveillance Act which governs the collection of foreign intelligence information); it was added to the GDPR by the European Parliament in response to Edward Snowden’s revelations about the scale of access by U.S. security agencies to EU personal data. However, industry groups have voiced concern that Article 48 exacerbates the conflict of laws faced by international companies, which regularly find themselves juggling competing legal demands in the different jurisdictions in which they operate.
The UK’s position turns on Protocol (No 21) (on the position of the United Kingdom and Ireland in the areas of freedom, security and justice) of the TFEU. This states that the United Kingdom (and Ireland) shall not take part in the adoption by the Council of certain measures, including those which concern issues relating to justice and home affairs, and that any international agreement concluded by the European Union relating to such measures shall not be binding upon or applicable in the United Kingdom, unless the UK notifies the Council in writing within three months that it wishes to participate. This means that Article 48 of the GDPR is not binding upon the UK unless a positive opt-in takes place under the Protocol. The UK Government has confirmed it will not be exercising its opt-in right.
The UK’s stance could be advantageous for UK organisations that find themselves involved in foreign litigation or overseas regulatory investigations. It may well make them less likely than their EU counterparts to face the dilemma of having to choose between sanctions from an overseas regulator for failing to transmit data, and sanctions at home, if personal data are sent (assuming no other lawful basis can be identified under the GDPR).