A game of three-dimensional chess – data protection after Brexit

2019 was a year of high-octane political drama in the UK, which culminated in a Conservative election win, a thumping majority, and consequently the certainty that the UK will leave the EU on 31st January 2020 (boo or cheer as appropriate - it's still panto season!). However, as we approach the end January, for many a month of abstinence from sugary treats, alcohol, meat and perhaps the relentless political news cycle, the UK is about to enter uncharted waters. Whilst there is no cliff-edge on 31st January 2020, there are significant challenges ahead, including in the cross-cutting area of data protection, which will affect any UK business, including franchisors and franchisees.

What happens when the Withdrawal agreement kicks in
When the UK leaves, the Withdrawal Agreement between the UK and the EU will kick in.  The Withdrawal Agreement ensures that the UK will (subject to some exceptions) be treated as an EU Member State while the UK and the EU negotiate a trade deal.  This ensures that there will be no sudden changes in the UK's legal arrangements on 31st January. The timeframe during which the UK is treated as if it is an EU Member State is called the transition or implementation period.

The UK Government intends that the transition or implementation period should last only 11 months, until 31st December 2020.  That is a very short timeframe indeed for a new trading arrangement to be negotiated between the UK and the EU. Although the Withdrawal Agreement allows the transition period to be extended once to the end of 2021 or 2022, the government has legislated (under section 33 of the European Union (Withdrawal Agreement) Act 2020) to prevent any application for an extension. 

All this means that there is a significant likelihood that at the end of the transition period there will be no deal in place between the UK and the EU in relation to significant areas of the UK economy.

From a data protection perspective, the GDPR will apply in the normal way during the transition period.   However, the transition period may well come to an end on 31st December 2020 without the EU having made an adequacy decision in favour of the UK.

The Withdrawal Agreement foresees this gap between the end of the transition period and an EU adequacy decision in favour of the UK. This is where the complexities of Article 71 of the Withdrawal Agreement become clear.

What does Article 71 of the draft Withdrawal Agreement say?
Article 71 does three things:

1. Article 71(1) ensures that personal data of data subjects outside the UK, which is processed in the UK, must be processed in accordance with EU law as it stands at the end of the transition period where it was processed: under EU law before the end of the transition period (including during the UK’s EU membership), or after the transition period under the Withdrawal Agreement, for example pursuant to the provisions on citizens' rights.
2. Article 71(2) disapplies Article 71(1) if the UK has an EU adequacy decision.
3. Article 71(3) provides that if the UK loses its adequacy decision it must apply protections to personal data within the scope of Article 71(1) which are ‘essentially equivalent’ to EU law standards.

What are some of the problems raised by Article 71?
The reality is that it is going to be difficult to get adequacy decisions for the UK if the transition period lasts only until 31 December 2020. The quickest EU adequacy decision so far (relating to Argentina) took 18 months.

 The UK will adopt the GDPR as national law and turn it into the ‘UK GDPR’ at the end of the transition period. However, this doesn’t mean that a favourable decision on EU adequacy for the UK will be easy or automatic.

If the transition period ends on 31 December 2020 with no UK adequacy decision in place, then Article 71(1) would have to be implemented in UK law.

What are the implications of Article 71(1) for UK businesses?
Article 71(1) represents something of a safety net for the personal data of data subjects outside the UK, which is processed in the UK.
 As set out above, this safety net operates in relation to personal data from outside the UK, which was processed in the UK:

• under EU law before the end of the transition period (including during EU membership); or
• after the transition period under the Withdrawal Agreement (for example, pursuant to the citizens’ rights provisions).

This means that non-UK data held by UK businesses will have to continue to be processed in accordance with the GDPR as it  stood on the last day of the transition period.

In some ways this will make no difference for UK organisations because the default position is that the UK will save the GDPR into domestic law at the end of the transition period. The same cut-off point applies and the same standards will be ‘saved’ under the Withdrawal Agreement as in UK domestic law. This means that processing data under the GDPR in accordance with Article 71(1) or under the UK GDPR will make no operational difference. The data will simply be treated in the same way.

The reality, however, may be more complex. The GDPR as it stood on 31 December 2020 will inevitably start to move away from the UK version of the GDPR. That is because even if the UK government does not make further or extensive amendments to the UK GDPR, the UK courts will interpret and develop the UK GDPR.  The European Union (Withdrawal Agreement) Act 2020  would allow the UK courts to diverge more quickly from the case law of the Court of Justice of the European Union (CJEU) than under the policy pursued by Theresa May's government.  Previously only the Supreme Court and the High Court of Justiciary in Scotland would have been entitled to depart from the retained case law of the CJEU.  The policy behind that was to ensure that the interpretation of EU law as retained in the UK after Brexit would stay the same – in other words continuity was deemed to be important.  Under section 26 of the European Union (Withdrawal Agreement) Act 2020 there are powers to make secondary legislation which would allow more courts to diverge from the retained case law of the CJEU (or retained domestic case law which relates to the retained case law of the CJEU) on the basis of a test which is yet to be determined.  If such legislation is brought into force then divergence may happen relatively quickly.  Further, the UK courts will not be required to follow the judgments of the CJEU handed down after the end of the transition period.

The position under the UK GDPR (particularly in relation to the case law of the CJEU) is different from the position in relation to the GDPR under Article 71(1). When interpreting the GDPR in accordance with Article 71(1), the UK courts will be required to have due regard to the relevant case law of the CJEU handed down after the end of the transition period. This divergence in approach relating to post-transition period case law of the CJEU is likely to take the GDPR under Article 71(1) and the UK GDPR in different directions.

 In addition, over time, the UK may choose to legislate for divergent positions.

A ‘headache’ for UK business?
UK businesses may not know which standards apply because they may not know whether the data they hold was originally from outside the UK or within it. Without information about where the relevant data comes from it will be impossible for UK businesses to be clear that they are complying with both regimes. The answer might simply be to delete or anonymise legacy data, but databases can be extremely valuable and simply deleting one of a company’s most significant assets is hardly an appealing prospect.

Where there is a contradiction between UK domestic law and the Withdrawal Agreement, the Withdrawal Agreement takes precedence. When it comes to non-UK data, the provisions of the Withdrawal Agreement (including Article 71 and the relevant CJEU case law) take precedence over any conflicting UK domestic legislation or case law.  However, this does not fully solve the potential complexities.

A further headache for larger UK businesses is that their operations in the EU may mean that they are established in the EU and therefore subject any updated version of the GDPR. Alternatively, UK organisations may be caught by the GDPR’s provisions on extra-territorial scope (for example when selling goods or services into the EU). This may mean that they are subject to the GDPR, the Article 71(1) version of the GDPR and the UK GDPR (which may start to evolve in an altogether different direction). This could end up causing significant barriers to trade because companies will simply deem compliance with all these regimes too complex and costly.

Conclusion
This points to the necessity of gaining EU adequacy decisions in favour of the UK in order to ensure that this highly undesirable outcome does not transpire. In the absence of EU adequacy decisions, Article 71(1) causes considerable headaches for UK companies. It also underscores that diverging standards in the field of data protection present a significant challenge. 

This post is based on an article which was originally published on LexisLibrary and LexisPSL.