The UK will be locked out of European Union databases once the Brexit transition period ends – but the UK is hoping a data adequacy decision will be adopted by the end of 2020.
Brit MPs chide UK.gov: You're acting like EU data adequacy prep is easyREAD MORE
Whether it will make it through Parliament – or indeed whether prime minister Theresa May will make it through the day – is not certain. But it reveals what the UK and EU Brexit negotiators have managed to agree over these months of back-and-forth, which means it still has to be pored over by anyone with skin in the game.
One of the chief considerations of the UK government has been access to the EU’s various databases, networks and systems, which are vital for policing and border checks, to name but two.
During the transition period – currently set at 31 December 2020, but which could be extended if the parties agree on an end date by July 2020 – the UK will have access to these databases, such as those collecting information on passenger names, fingerprints and arrest alerts.
After that, the UK will be disconnected from all EU databases and networks, unless they have been specified in the Withdrawal Agreement.
A political declaration (PDF) about the future relationship that has been published alongside the draft agreement optimistically talks about hopes to strike reciprocal arrangements for these data exchanges.
But it also acknowledges that such cooperation between law enforcement and judicial bodies will only happen as far as is “technically and legally possible” – and in the absence of any concrete deals, the UK can only expect access to those databases or systems listed in the document.
This includes “time-limited access to certain EU communications networks, information systems and databases” to “facilitate winding down” of police and judicial cooperation in criminal matters.
This includes the Schengen Information System for three months after the end of the transition period and the law enforcement platform Secure Information Exchange Network Application (SIENA) for up to a year.
The parties also agreed there will have to be continued collaboration on requests for information, surveillance and enquires that are received before the end of the transition period.
Further derogations from this rule include various systems that allow the nation to comply with procurement, VAT and customs rules, with each given an end date after which access will be cut off. The UK also has to pay the EU for the privilege, with the bloc allowed to charge for the costs of facilitating access.
Adequacy by 2020?
On data protection, the UK has consistently said it wants to secure an adequacy decision – this is where the European Commission assesses a third country’s regime and rubber-stamps it as meeting its own standards.
The Withdrawal Agreement doesn't guarantee this will happen, but the political declaration indicates that the EU will begin talks before the end of the transition period, which would reduce the risk of data falling off a cliff-edge at the end of 2020.
"Commencement of the Commission’s assessments of the United Kingdom’s standards on the basis of the Union’s adequacy framework, endeavouring to adopt decisions by the end of 2020," it said. "In the same timeframe, the United Kingdom will take steps to ensure comparable facilitation of personal data flows to the Union."
Meanwhile, the agreement establishes rules designed to ensure continued protection of information sucked up on EU data subjects during the transition period, which would still be carried out under existing EU laws.
Once the UK leaves the EU, this “stock” of personal data, as it is referred to, must be protected in line with EU laws – but with one critical limitation.
These terms will only apply to personal data collected on data subjects outside the UK; effectively this recognises that the EU cannot require a non-member state to apply GDPR to internal data processing, but it might mean information on these people could be subject to less stringent protections in the future.
The UK will have to stay pretty close to EU rules in order to achieve an adequacy decision, though, if and when this is awarded, the above provision will no longer apply; if that decision is revoked, it kicks back in.
Another interesting element in the Withdrawal Agreement is that Chapter 7 of the EU's General Data Protection Regulation will not apply. This covers cooperation between regulators, including membership and governance of the European Data Protection Board and rules for joint investigations and consistency mechanisms.
One member of the data protection Twitterati, Think Privacy founder Alexander Hanff, questioned what impact this would have on binding corporate rules – designed to allow multinational companies to transfer personal data out of the European Economic Area – granted by the UK’s data protection watchdog.
My concerns over the exemption of Chapter 7 are that if the ICO are not members of EDPB & do not have the powers of EU Supervisory Authorities - it likely invalidates any BCR's authorised by the ICO - lets see how this plays out...#privacy #gdpr— Alexander Hanff (@alexanderhanff) November 15, 2018
Commission: No deal? We're not planning for adequacy
Earlier this week, the EU also made it clear that “the adoption of an adequacy decision is not part of the Commission's contingency planning” in the case of a no-deal Brexit.
“In the case of a no deal scenario, as of the withdrawal date, the transfer of personal data to the United Kingdom will become subject to the rules on international transfers,” it said in a communication (PDF) on Brexit preparedness.
The Commission has a “broad toolbox” for this, it said: “This includes in particular the so-called ‘appropriate safeguards' (eg, the Commission's approved Standard Contractual Clauses, Binding Corporate Rules, administrative arrangements) that can be used both by the private sector and public authorities.”
There are also derogations for specific situations that allow data to be transferred out of the EU to a third country without these safeguards, for instance if the data subject grants explicit consent.
However, as Christopher Knight of 11KBW barristers noted in a blogpost, this appears to be a measure to push the UK away from countenancing a no-deal scenario.
“Anyone who has actually had to put together binding corporate rules, tried to fit the (inexplicably and incompetently not updated) standard contractual clauses to their processing or sought in vain for a derogation may be less blasé,” he wrote.
“Doubtless playing on this lack of welcome for relying solely on the ‘toolbox’ is part of the Commission’s aim for encouraging the UK away from no deal.”
However, it's highly likely that veiled threats about data adequacy are the least of the PM's worries today, as she tries to sell the wider deal to an increasingly angry mob of MPs and a variously disappointed public. ®