Privacy & Information Security Law Blog

On November 14, 2018, the UK government and the EU agreed upon the text of a draft Withdrawal Agreement in relation to the UK’s impending exit from the European Union on March 29, 2019. The draft Withdrawal Agreement provides for a transition period under which the UK will remain subject to a number of its EU membership obligations, during the period starting when the UK leaves the EU on March 29, 2019 to the end of the transition period on December 31, 2020. The draft Withdrawal Agreement provides the following in relation to data protection law:

• EU data protection law, including the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive, will continue to apply to personal data of data subjects outside the UK that are (i) processed in the UK in accordance with the GDPR before the end of the transition period on December 31, 2020, and (ii) processed in the UK after the end of the transition period on the basis of the draft Withdrawal Agreement.
• To the extent that a declaration states that the UK provides an adequate level of protection is issued by the European Commission during the transition period, then EU data protection law (including the GDPR and the e-Privacy Directive) will no longer apply in the UK to personal data of data subjects outside the UK. If, however, such declaration of adequacy ceases to be applicable, the UK commits to ensuring an adequate level of protection for the processing of the relevant personal data that is essentially equivalent to that provided by EU data protection law. Although not explicitly stated in the text of the draft Withdrawal Agreement, this obligation appears to extend beyond the end of the transition period.
• Notwithstanding the above, Chapter VII of the GDPR, relating to cooperation between supervisory authorities and the consistency mechanism, will not apply in the UK during the transition period. As such, organizations will not be permitted to designate the UK Information Commissioner’s Office (“ICO”) as lead authority for GDPR purposes. In addition, the ICO will, during the transition period, have a significantly limited role in relation to the European Data Protection Board. The ICO will be entitled to attend meetings of the European Data Protection  Board in some cases, but will no longer have voting rights.

In practical terms, assuming that the draft Withdrawal Agreement is adopted in its current form, personal data flows between the EU and the UK will likely continue unrestricted during the transition period, until at least December 31, 2020. The draft Withdrawal Agreement itself does not, however, address the relationship between the UK and the EU after the end of the transition period, which will be subject to whatever final deal, if any, is agreed between the EU and the UK. As the draft Withdrawal Agreement is currently written, however, it appears to contemplate a declaration of adequacy in relation to the UK, which if issued would address transfers of personal data from the EU to the UK after the end of the transition period.  As such, it appears that any immediate threat to personal data transfers between the UK and the EU has been staved off, and transfers are likely to continue unaffected during the transition period.

Before being agreed between the UK and the European Council, the draft Withdrawal Agreement must be approved by the UK Parliament. Following multiple resignations from Theresa May’s government yesterday, it looks increasingly unlikely that the draft Withdrawal Agreement will be approved in its current form. If the draft Withdrawal Agreement is not approved, then there remains the prospect of the UK leaving the EU without any transition period or immediate free trade agreement, or any arrangements in place to protect the free flow of personal data between the EU and UK. If, however, a new draft is proposed and agreed upon before the March deadline, it is possible that some of the non-contentious provisions (which may include those relating to data protection) could be carried over into that new proposal.