Summary of Data Protection Provisions under the new (December 2020) Brexit Treaty (“Treaty”)
The Story so Far
There is no point in having stringent rules protecting personal data in one country where that country then allows “export” of that data to another country with less protection. So it is the case in the European Union, where, since 1998, the rules have clearly stated that export of personal data to countries outside the European Union is not permitted. There are exceptions, of course, but they are increasingly impractical, especially for all other than the largest companies.
So, without something in place, export of data from the European Union to the United Kingdom would have been prohibited after 23:00 on 31st December 2020. In European terminology, this will be disallowed unless the United Kingdom is granted “equivalence” status: i.e. the United kingdom laws are regarded as equivalent to those in the European Union.
Today, the United Kingdom has identical laws protecting personal data, in all material respects to that of the rest of the European Union, since we like other Member States, are bound by the General Data Protection Regulation [(EU) 2016/679] (“GDPR”).
The New Provisions
The Treaty makes complex and lengthy provisions, allowing for the continued exchange between Member States and the United Kingdom, of personal data for the prevention, detection and prosecution of crime.
What is of interest to European and United Kingdom businesses, however, is whether they would be hampered, post-Brexit, by the United Kingdom not being regarded as an equivalent state. That has never been the United Kingdom’s perspective, but has been a political football for the European Union in the negotiations for a Treaty. The Treaty states that the United Kingdom will temporarily be considered as part of the European Union (for data protection purposes) until 30th April 2021. That period is automatically extended until 31st June 2021, unless the European Union objects.
The period is foreshortened if, within that time, the European Commission grants the United Kingdom “equivalence” status.
The Final Effect and Comment
On the face of things, this is a classic example of a traditional European Union tactic: kick the can down the road for a while. However, that is probably not the case here. The power to grant United Kingdom “equivalence” status, which would mean that export of personal data from the European Union to the United Kingdom is permitted, is not within the gift of those who are ratifying this treaty, namely the Member States of the European Union. They succeeded that power to the European Commission in the GDPR. So the Treaty could not easily have granted such permission.
The precise wording of the provision in the Treaty is telling. The temporary period will end in less than four (or six) months “on the date on which adequacy decisions [on “equivalence” status] in relation to the UK are adopted by the European Commission”. Unlike many aspect of the Treaty, there is no conditionality here. Rather an intention that an adequacy will be granted.
The recognition of “equivalence” has always been regarded as a political tool. Clearly the United Kingdom, unless and until it changes its laws, has equivalent laws as the rest of the European Union. So there should be little doubt that, so long as the United Kingdom behaves itself by not changing data protection laws in the next few months, the European Commission will grant the United Kingdom “equivalence” status, and it will remain “business as usual” from a data protection perspective.