The European Commission published the first draft of the proposed Brexit withdrawal agreement on 28 February 2018. It includes provisions in relation to the processing of personal data during a ‘transition period’, and in certain circumstances thereafter.
The draft Withdrawal Agreement
The draft withdrawal agreement sets out the arrangements for the withdrawal of the United Kingdom (“UK”) from the European Union and the European Atomic Energy Community (the “Withdrawal Agreement”).
The Withdrawal Agreement contains the concept of a ‘transition period’, defined as the period from 30 March 2019 to 31 December 2020 (inclusive).
Data protection legislation during the transition period
The Withdrawal Agreement states that EU law shall be applicable to and in the UK during the transition period. If that text and the duration of the transition period remain unchanged, the UK would be subject to EU data protection legislation, including the General Data Protection Regulation (“GDPR”), until 31 December 2020.
Data protection legislation after the transition period
The Withdrawal Agreement contains provisions that will apply after the end of the transition period in relation to data and information processed or obtained before the end of the transition period, or on the basis on the Withdrawal Agreement itself.
The legislation explicitly referred to as falling within these provisions comprise: the GDPR (with the exception of Chapter VII (Cooperation and Consistency)); the ePrivacy Directive (Directive 2002/58/EC); the Law Enforcement Directive (Directive (EU) 2016/680); and any other EU law governing the protection of personal data (the “Applicable Legislation”). These are construed as the legislation applicable on the last day of the transition period, including as amended or replaced.
The Withdrawal Agreement states that the Applicable Legislation will continue to apply in the UK in respect of the processing of personal data of individuals outside the UK, provided that the personal data:
(a) were processed in accordance with EU law in the UK before the end of the transition period; or
(b) are processed in the UK after the end of the transition period on the basis of the Withdrawal Agreement.
The mutual assistance provisions in the GDPR and the Law Enforcement Directive require supervisory authorities to co-operate in order to implement and apply the GDPR and the Law Enforcement Directive in a consistent manner. In particular, supervisory authorities should comply with requests for information, consultations, inspections and investigations.
These provisions will continue to apply to the UK for assistance requests received before the end of the transition period.
EU legislation concerning confidential treatment, restriction of use, storage limitation and requirement to erase data will apply to data obtained by the UK before the end of the transition period, or on the basis of the Withdrawal Agreement itself.
The Withdrawal Agreement will now be discussed over the coming weeks with the other 27 EU nations and the European Parliament’s Brexit Steering Group. It will then be sent to the UK for negotiation.
The effect of the Withdrawal Agreement provisions, if left unchanged, is not totally clear. The intent appears to be to apply broad principles, but the drafting results in ambiguity in relation to the precise effect.
In relation to data protection, the text suggests that the broad intention is for EU data protection law to continue to apply to the UK in relation to the processing of personal data until the end of the transition period as if the UK were still a member of the EU.
Furthermore, after the transition period, people outside the UK whose personal data are processed such that the processing fell within the scope of EU law before the end of the transition period, would continue to be protected by EU law in relation to the processing of their personal data. This would apply to the processing of personal data of people outside the UK in the context of the activities of an establishment within the UK. This extends the jurisdictional reach of the GDPR, which in relation to establishments in other non-EU countries would only be caught by the GDPR’s provisions where their processing activities relate to the offering of goods or services to people in the EU or monitoring the behaviour of people in the EU.
Assuming this interpretation of the Withdrawal Agreement is correct and the text remains unchanged, organisations established within the UK could potentially face two data protection regimes in relation to personal data that they process in the context of the activities of the establishment, i.e. whatever the prevailing UK law is at that time, together with the GDPR in relation to people outside the EU whose personal data were being processed before the end of the transition period.