The year 2019 was one of high-octane political drama for the United Kingdom, culminating in a Conservative election win (by a large majority) and, consequently, the United Kingdom's withdrawal from the European Union on 31 January 2020.
As such, the United Kingdom has now entered uncharted waters. While there was no cliff edge on 31 January 2020, there are significant challenges ahead, including in the cross-cutting area of data protection, which could affect many UK businesses.
When the United Kingdom left the European Union, the Withdrawal Agreement commenced. The agreement ensures that the United Kingdom will be treated as an EU member state – subject to some exceptions – while the United Kingdom and the European Union negotiate a trade deal. This ensured that there were no sudden changes to the United Kingdom's legal arrangements on 31 January 2020. The timeframe during which the United Kingdom is still treated as an EU member state is called the transition or implementation period.
The UK government intends that the transition or implementation period will last no more than 11 months (until 31 December 2020). That is a short timeframe for a new trading arrangement to be negotiated between the United Kingdom and the European Union. Although the Withdrawal Agreement allows the transition period to be extended once (to the end of 2021 or 2022), the government has legislated under Section 33 of the European Union (Withdrawal Agreement) Act 2020 to prevent any application for an extension.
This means that there is a significant likelihood that at the end of the transition period, there will be no deal in place between the United Kingdom and the European Union regarding significant areas of the UK economy.
From a data protection perspective, the European General Data Protection Regulation (GDPR) will apply in the normal way during the transition period. However, the transition period may come to an end on 31 December 2020 without the European Union having made an adequacy decision in favour of the United Kingdom.
The Withdrawal Agreement foresees this gap between the end of the transition period and an EU adequacy decision in favour of the United Kingdom. This is where the complexities of Article 71 of the Withdrawal Agreement become clear.
Article 71 sets out three requirements:
- Article 71(1) ensures that the personal data of data subjects outside the United Kingdom which is processed in the United Kingdom must be processed in accordance with EU law as it stands at the end of the transition period provided that it was processed:
- under EU law before the end of the transition period (including during the United Kingdom's EU membership); or
- under the Withdrawal Agreement (eg, pursuant to the provisions on citizens' rights) after the transition period.
- Article 71(2) disapplies Article 71(1) if the United Kingdom has an EU adequacy decision.
- Article 71(3) provides that if the United Kingdom loses its adequacy decision, it must apply protections to personal data within the scope of Article 71(1) which are essentially equivalent to EU law standards.
Realistically, it is going to be difficult to get adequacy decisions for the United Kingdom if the transition period ends on 31 December 2020. The quickest EU adequacy decision so far (relating to Argentina) took 18 months.
The United Kingdom will adopt the GDPR as national law and turn it into the UK GDPR at the end of the transition period. However, this does not mean that a favourable decision on EU adequacy for the United Kingdom will be easy or automatic.
If the transition period ends on 31 December 2020 with no UK adequacy decision in place, Article 71(1) would have to be implemented into UK law.
Article 71(1) represents something of a safety net for the personal data of data subjects outside the United Kingdom which is processed in the United Kingdom:
- under EU law before the end of the transition period (including during EU membership); or
- under the Withdrawal Agreement (eg, pursuant to the citizens' rights provisions) after the transition period.
Thus, non-UK data held by UK businesses will have to continue to be processed in accordance with the GDPR as it stands on the last day of the transition period.
In some ways, this will make no difference to UK organisations because the default position is that the United Kingdom will transpose the GDPR into domestic law at the end of the transition period. The same cut-off point applies and the same standards will be maintained under the Withdrawal Agreement as in UK domestic law. As such, processing data under the GDPR in accordance with Article 71(1) or under the UK GDPR will make no operational difference, the data will simply be treated in the same way.
However, the reality may be more complex. The GDPR, as it stands on 31 December 2020, will inevitably start to move away from the UK version of the GDPR. That is because even if the UK government does not make further or extensive amendments to the UK GDPR, the UK courts will interpret and develop the UK GDPR. The European Union (Withdrawal Agreement) Act 2020 would allow the UK courts to diverge more quickly from the case law of the European Court of Justice (ECJ) than under the policy pursued by Theresa May's government. Previously, only the Supreme Court and the High Court of Justiciary in Scotland would have been entitled to depart from the retained case law of the ECJ. The policy behind that was to ensure that the interpretation of EU law as retained in the United Kingdom after Brexit stays the same (ie, continuity was deemed to be important). Under Section 26 of the European Union (Withdrawal Agreement) Act 2020, there are powers to make secondary legislation which would allow more courts to diverge from the retained case law of the ECJ (or retained domestic case law which relates to the retained case law of the ECJ), on the basis of a test which has yet to be determined. If such legislation is brought into force, divergence may happen relatively quickly. Further, the UK courts will not be required to follow the judgments of the ECJ handed down after the end of the transition period.
The position under the UK GDPR (particularly regarding the case law of the ECJ) is different from the position regarding the GDPR under Article 71(1). When interpreting the GDPR in accordance with Article 71(1), the UK courts will be required to have due regard to the relevant case law of the ECJ handed down after the end of the transition period. This divergence in approach regarding post-transition period case law of the ECJ is likely to take the GDPR under Article 71(1) and the UK GDPR in different directions.
In addition, over time, the United Kingdom may choose to legislate for divergent positions.
UK businesses may not know which standards apply because they may not know whether the data that they hold was originally from within or outside the United Kingdom. Without information about where the relevant data comes from, it will be impossible for UK businesses to be clear that they are complying with both regimes. The answer might simply be to delete or anonymise legacy data, but databases can be extremely valuable and simply deleting one of a company's most significant assets is an unappealing prospect.
Where there is a contradiction between UK domestic law and the Withdrawal Agreement, the agreement takes precedence. When it comes to non-UK data, the provisions of the Withdrawal Agreement (including Article 71 and the relevant ECJ case law) take precedence over any conflicting UK domestic legislation or case law. However, this does not fully resolve the potential complexities.
A further headache for larger UK businesses is that their operations in the European Union may mean that they are established in the European Union and therefore subject to any updated version of the GDPR. Alternatively, UK organisations may be caught by the GDPR's provisions on extra-territorial scope (eg, when selling goods or services into the European Union). This may mean that they are subject to:
- the GDPR;
- the Article 71(1) version of the GDPR; and
- the UK GDPR (which may start to evolve in an altogether different direction).
This could end up causing significant barriers to trade because companies will simply deem compliance with all of these regimes too complex and costly.
The above points to the necessity of gaining EU adequacy decisions in favour of the United Kingdom in order to ensure that this highly undesirable outcome does not transpire. In the absence of EU adequacy decisions, Article 71(1) of the Withdrawal Agreement will cause considerable headaches for UK companies. It also underscores that diverging standards in the field of data protection present a significant challenge.
This article is based on an update which was originally published on LexisLibrary and LexisPSL.