On 24 February, the European Data Protection Supervisor (‘EDPS’) published its opinion on the opening of negotiations for a new partnership between the UK and the EU (‘Opinion’). As an independent supervisory authority of the EU, the EDPS’ Opinion purports to provide constructive advice to the EU in relation to its future relationship with the UK as well as the future adequacy decision regarding the UK’s protection of personal data.
The EDPS will be further consulted on the text of the draft partnership between the UK and the EU in due course. The European Commission (‘Commission’) is therefore expected to take on board at least some of the EDPS’ recommendations.
The future partnership between the UK and the EU
On 3 February 2020, the Commission set out its negotiation objectives that it will aim to achieve on behalf of the EU. On 12 February 2020, the European Parliament further adopted a resolution on the Commission’s proposed mandate. In its Opinion, the EDPS reviewed the Commission’s objectives and provided its independent recommendations and comments in relation to the protection of personal data, including the following:
- the EDPS supports the Commission to conclude a comprehensive partnership with the UK and to achieve ‘as much as possible’ during the Brexit transition period
- in relation to the UK’s ongoing security partnership with the EU, the UK must maintain its commitments towards the protection of privacy and personal data if it wishes to benefit from the ongoing law enforcement and judicial cooperation between the UK and the EU. The Commission should consider automatic termination of the existing security partnership if the UK were to denounce the European Convention on Human Rights (‘ECHR’), or if any adequacy decision in relation to the UK is repealed or suspended
- in relation to the economic partnership, the Commission should continue its current practice to exclude data protection from any discussions on trade agreements. The EDPS recommend that the economic partnership between the UK and the EU should be underpinned by similar commitments underpinning the security partnership, i.e. economic partnership between the UK and the EU could be affected if the UK decides to withdraw from the ECHR or deviate from other data protection principles
In the UK, the ECHR is implemented by the Human Rights Act 1998, which the UK government previously indicated that it might repeal after the UK leaves the EU. The EDPS’ Opinion suggests that such proposals could jeopardise the flow of personal data of all businesses and government organisations after the end of the Brexit transition period.
Adequacy decision may be reached prior to the end of the transition period but potential obstacles remain
Under the General Data Protection Regulation (‘GDPR’), international transfers of personal data outside the European Economic Area are restricted unless safeguards are put in place. One of the appropriate safeguards is to transfer the personal data to a third country that has received an ‘adequacy decision’ from the Commission, which certifies that the relevant country provides a level of protection of personal data substantively similar to that of GDPR. As most adequacy decisions take years to reach, it was previously feared that an adequacy decision relating to the UK might not be achieved before the end of the transition period, in which case personal data transfers from the EU to the UK would become restricted under GDPR overnight.
The EDPS re-emphasised the importance of the adequacy decision to the UK and EU’s future relationship. A successful adequacy decision will not only reduce frictions of the flow of personal data in the private sector but also be relevant for the transfer of personal data from EU institutions and bodies.
The EDPS firstly urged the Commission to clearly define the scope of the envisaged adequacy decision regarding the UK. Under Article 36 of the Law Enforcement Directive (No 2016/680) and Article 45 of GDPR, the Commission could decide to grant the UK an adequacy decision that is limited to one or more specified sectors rather than a decision that is applicable to all sectors.
The EDPS further highlighted that the adoption of an adequacy decision is subject to conditions and procedural requirements under GDPR and the Law Enforcement Directive, which require any draft adequacy decision prepared by the Commission to be reviewed by the European Data Protection Board.
Whilst the EDPS acknowledged that the UK’s status as a former Member State of the EU means that the UK has integrated GDPR into national law, it went on to emphasise that any substantial deviation from the EU data protection regulations could constitute an obstacle to a finding of adequacy, if the deviation lowers the level of protection of personal data in the UK.
Even if an adequacy decision relating to the UK were to be granted, the decision will still be subject to periodic review at least every four years pursuant to the Law Enforcement Directive and GDPR.
The EDPS further recommended the Commission to assess carefully onward transfers of personal data from the UK in its assessment for adequacy decision. The UK government has stated in the latest version of its Political Declaration that the UK will be establishing its own international transfer regime. The Commission is thus unlikely to grant an adequacy decision relating to the UK if the UK intends to permit free flow of personal data to countries that the EU considers to have a high risk of breaching GDPR.
Finally, the EDPS recommended that the EU take steps to prepare for all eventualities, which include cases where no adequacy decision was made in relation to the UK or where the adequacy decision is only applicable to certain sectors.
Implications of the EDPS’ Opinion
The Opinion itself did not comment directly on whether the UK would receive an adequacy decision from the Commission before the end of the Brexit transition period. However it sends important messages to organisations and businesses on both sides of the negotiation:
- the Commission is expected to confirm the scope of the envisaged adequacy decision assessment, which could be limited to certain sectors in the UK. It is not inconceivable that a staged approach may be taken to allow prioritised sectors to enjoy free flow of personal data before it is extended further to other sectors in the UK
- the UK may benefit from its status as a previous EU Member State and its current compliance with GDPR. However, the UK will be expected to follow the required process and meet the relevant conditions set out in GDPR and the Law Enforcement Directive. In other words, there does not appear to be an expedited process to fast-track the UK’s adequacy decision
- if the UK repeals the Human Rights Act 1998 or deviates from the fundamental rights protection by the EU, an adequacy decision is unlikely to be granted, (or if already granted, would potentially be suspended/repealed)
- even if an adequacy decision in relation to the UK is reached, future regulatory developments in the UK will be regularly monitored by the Commission
Businesses should therefore remain vigilant about any updates relating to the progress of the UK’s application for an adequacy decision and continue to prepare for contingency plans if a decision is not made before 30 December 2020.