Information Law analysis: Eleonor Duhs, director in the Technology, Outsourcing and Privacy team at Fieldfisher, discusses how Article 71 of the EU-UK Withdrawal Agreement will apply from a data protection perspective if the UK does not obtain an adequacy decision at the end of the Brexit transition period.
Article 71 of the Withdrawal Agreement will only apply if the UK does not get EU adequacy at the end of the transition (or ‘implementation’) period. It is the EU’s insurance policy in relation to EU personal data. It ensures that EU data which came to the UK during the UK’s EU membership or during the Brexit transition period is still processed in accordance with the standards set out in the General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR) after the transition period has ended.
Summary of the relevant provisions of the Withdrawal Agreement
In summary, Article 71(1) ensures that personal data of data subjects outside the UK, which is processed in the UK, is processed in accordance with EU data protection law as it stands at the end of the transition period. This applies where the data was processed:
- under EU law before the end of the transition period (including during the UK’s EU membership), or
- after the transition period under the Withdrawal Agreement, for example pursuant to the provisions on citizens’ rights
This data is referred to in this News Analysis as ‘Legacy Data’.
Article 71(2) disapplies Article 71(1) if the UK receives an EU adequacy decision.
Article 71(3) provides that if the UK loses its adequacy decision it must apply protections to personal data within the scope of Article 71(1) which are ‘essentially equivalent’ to EU law standards.
Article 71 is high-level and interacts with a complex web of the remainder of the Withdrawal Agreement and various Brexit legislation. Therefore, a number of aspects of how it may apply in practice remain to be confirmed in subsequent legislation and guidance.
The ‘Frozen GDPR’
It is important to note that the data protection standards in Article 71 will not be updated. The EU GDPR ‘as applicable on the last day of the transition period’ will apply in respect of Legacy Data (this is the effect of Article 6(1) of the Withdrawal Agreement). This version of the EU GDPR will be referred to in this article as the ‘Frozen GDPR’.
The Frozen GDPR must be interpreted in accordance with the relevant case law of the Court of Justice of the European Union handed down before the end of the transition period (see Article 4(4) of the Withdrawal Agreement). In interpreting the Frozen GDPR the UK courts will need to have ‘due regard to relevant case law of the [Court of Justice] handed down after the end of the transition period’ (see Article 4(5) of the Withdrawal Agreement). This means that the past case law on the EU GDPR as well cases handed down after the end of the transition period will be applicable when UK courts are considering the interpretation of the Frozen GDPR.
Implementation of the ‘Frozen GDPR’ in UK law
Section 7A of the European Union (Withdrawal) Act 2018 (EU(W)A 2018) implements section 71 of the Withdrawal Agreement. Section 7A is drafted in the same way as section 2(1) of the European Communities Act 1972 (ECA 1972). ECA 1972, s 2(1) allowed the EU GDPR to ’flow’ into UK domestic law without the need for further implementing legislation. In the same way, EU(W)A 2018 s 7A allows the ‘Frozen GDPR’ to apply in UK domestic law.
In terms of hierarchy, the Frozen GDPR takes precedence over the UK GDPR (see below). This is because the EU law made applicable by the Withdrawal Agreement has the same legal effect in the UK as it has in the EU Member States (see Article 4(1) of the Withdrawal Agreement). That includes the principle of the supremacy of EU law over domestic law. The supremacy of the Frozen GDPR over the UK GDPR is reflected in the drafting of the EU(W)A 2018. The saving of the UK GDPR under section 3 of the EU(W)A 2018 is subject to the provisions which flow in through EU(W)A 2018, s 7A, including the Frozen GDPR (see EU(W)A 2018, s 3(2)(a)(bi)). The Frozen GDPR is to be interpreted in accordance with EU law principles, including the supremacy of EU law (see EU(W)A 2018, s 7C(1) and (2)). This means that for the processing of Legacy Data, the Frozen GDPR applies. In the event that UK domestic law (including the UK GDPR) and the Frozen GDPR conflict, the Frozen GDPR will take precedence.
Further legislation is likely to be needed in order to ensure that the Frozen GDPR works properly in domestic law.
The UK GDPR
At the end of the transition period the EU GDPR will be saved into UK law through EU(W)A 2018, s 3. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, SI 2019/419 rename the retained EU GDPR the ‘UK GDPR’. They amend the UK GDPR to make it work properly as domestic law. For example, adequacy decisions made by the European Commission are replaced with adequacy regulations made by the Secretary of State (see SI 2019/419, Sch 1 para 38(2), Sch 2 para 23).
Interpretation of the UK GDPR
The UK GDPR will fall within the category of ‘retained EU law’ (see EU(W)A 2018, s 6(7)). When interpreting retained EU law, the UK courts will not be bound by judgments of the Court of Justice handed down after the end of the transition period (see EU(W)A 2018, s 6(1)(a)).
Lower courts will be bound by the case law of the Court of Justice handed down before the end of the transition period (known under the EU(W)A 2018 as retained EU case law—see EU(W)A 2018, s 6(7)), but under the government’s plans certain appeal courts including the Court of Appeal in England and Wales and the Supreme Court will not be bound by retained EU case law. The draft European Union (Withdrawal) Act 2018 (Relevant Court) (Retained EU Case Law) Regulations 2020 (if passed) would enable the Court of Appeal and other similar courts to depart from retained EU case law where it is ‘right to do so’. The ability to depart from retained EU case law is already conferred on the Supreme Court and the High Court of Justiciary in Scotland under EU(W)A 2018, s 6(4).
For personal data subject to Article 71, how will the obligations on controllers differ from other personal data subject to the UK GDPR regime?
To begin with there will be no material difference in most cases. The Frozen GDPR and the UK GDPR will be almost exactly the same. However, it is likely that further domestic legislation will be required in order for it work properly. For example, it is not clear how the many references to ‘Union law’ in the Frozen GDPR should be construed, given that much of the legislation which is referenced in this context will no longer apply to the UK.
One main difference will be in terms of theinterpretation of the two instruments by the UK courts. The Frozen GDPR will continue to be interpreted in accordance with the case law of the Court of Justice. By contrast the interpretation of the UK GDPR is likely to change because the post-transition period case law of the Court of Justice will no longer be binding on UK courts.
If the draft European Union (Withdrawal) Act 2018 (Relevant Court) (Retained EU Case Law) Regulations 2020 are approved by Parliament, the meaning of the UK GDPR as interpreted through case law may diverge quite quickly from that of the Frozen GDPR. The majority of respondents to the government’s consultation on the Retained EU Case Law considered that those Regulations should not be made because of a risk to legal certainty, which would result in the re-litigation of well-established legal principles, a divergence in legal approaches across the UK on similar issues and an incoherent legal framework (see the government response to the consultation, page 14). If this analysis proves correct then the obligations imposed under the Frozen GDPR are likely to be predictable, in contrast to the obligations under the UK GDPR.
It also appears that adequacy decisions and standard contractual clauses (SCCs) for international transfers of personal data will also be frozen as at the end of the transition period for the purposes of the Frozen GDPR since they are also ‘provisions of Union law governing the protection of personal data’ (and therefore subject to Articles 6(1) and 70–71 of the Withdrawal Agreement and EU(W)A 2018, s 7A.). It would follow that:
- adequacy decisions and forms of SCCs that applied under the EU GDPR on 31 December 2020 can continue to be used to transfer Legacy Data internationally (even if the EU subsequently revokes those for the EU GDPR)
- SCCs or adequacy decisions which subsequently form part of EU law after the end of the transition period could not be relied on for the transfer of Legacy Data. The EU is expected to produce new SCCs for the EU GDPR towards the end of this year and is aiming to grant further adequacy decisions (eg to South Korea)
This may complicate international transfers for organisations transferring sets of personal data to which the Frozen GDPR may apply.
Will the ICO regulate the laws applicable to Article 71 or will the processing of such data be subject to regulation by EEA supervisory authorities? If there is a personal data breach relating to personal data subject to Article 71 should the organisation notify the ICO or EEA supervisory authorities (or both?)
The ICO will regulate the laws applicable to Article 71. However, it is not clear what role (if any) EEA supervisory authorities might have in regulating the Frozen GDPR. The Frozen GDPR omits Chapter VII of the EU GDPR, which relates to co-operation between regulators (see Article 70(a) of the Withdrawal Agreement). There is therefore no procedure in place to allow for the lead supervisory authority process to be initiated or conducted. It is therefore difficult to see how there would be scope for EEA supervisory authorities to regulate the processing of Legacy Data efficiently, unless this position was changed.
However, the EU GDPR may also apply to entities outside the EU (including in the UK) because of its extra-territorial scope (see Article 3 of the EU GDPR). If that is the case, then there may be an additional requirement on UK companies subject to the EU GDPR to notify EEA supervisory authorities. Depending on the circumstances of the data breach, the Frozen GDPR and/or the UK GDPR may also apply along with the EU GDPR, giving rise to a requirement to notify the ICO as well as appropriate EEA authorities. For example, if there was a major data breach affecting a UK company with establishments across the EU and which holds Legacy Data, each of the UK GDPR, EU GDPR and Frozen GDPR may be engaged.
Will organisations processing personal data subject to Article 71 need to comply with BOTH laws pursuant to Article 71 AND also with the UK GDPR (to the extent they impose different obligations)?
Article 71 and the UK GDPR will not apply simultaneously for the same data. That is because the provisions of the Withdrawal Agreement take precedence over UK domestic law (see the section above on the implementation of the Frozen GDPR in UK law). This means that the Frozen GDPR takes precedence over the UK GDPR (and UK domestic law more generally). So where EU legacy data is concerned the Frozen GDPR will apply. UK domestic law which conflicts with the Frozen GDPR will fall to be disapplied by the UK courts.
It is quite likely, however, that if Article 71(1) comes into effect at the end of the transition period, UK companies will have to comply with both the Frozen GDPR and the UK GDPR because their systems will contain Legacy Data as well as data which originates in the UK. Legacy Data will be regulated under the Frozen GDPR, whereas data which originates in the UK will fall under the UK GDPR.
Divergence between Court of Justice case law and UK case law in the field of data protection may create differences in terms of how the Frozen GDPR and the UK GDPR are interpreted.
Will additional UK legislation or guidance be needed in connection with this regime if it applies?
Yes. The Frozen GDPR will not work on its own. Just as the EU GDPR needed the Data Protection Act 2018 (DPA 2018) to be implemented alongside it, for example to create exemptions where those were required under the EU GDPR, so the Frozen GDPR will need to work alongside the DPA 2018 to enable the proper processing of data which falls within the scope of Article 71(1). If it appears that there will not be an EU adequacy decision for the UK at the end of the transition period then it is likely that further legislation will be made, in order to enable the Frozen GDPR and the DPA 2018 to ’interact’.
Further regulatory guidance is also expected on these matters in those circumstances.
This article was first created and published for Lexis Nexis, but is authored by data expert and Fieldfisher lawyer Eleonor Duhs.
Sign up to our email digest