[Data Protection] Free Trade and Cooperation Agreement UK-EU / Privacy and Data Protection Rules
On 24 December 2020, the EU Commission
and the UK government reached consensus on a Free Trade Agreement
(UK-EU TCA) which ensures continuity after the end of the
Transition Period on 31 December 2020:
The agreement also addresses various aspects of digital trade, including privacy and data protection [Part Two: Trade, transport, fisheries and other arrangements, Heading one: Trade, Title III: Digital trade (pp. 116 et seq.)] in view of [Preamble]
“RECOGNISING the Parties’ respective autonomy and rights to regulate within their territories in order to achieve legitimate public policy objectives such as the protection and promotion of […] privacy and data protection […], while striving to improve their respective high levels of protection,”
While the agreement is still waiting to be formally ratified by both sides, special provisions are in place to ensure that there will be no regulatory gap between 1 January 2021 and the formal date of entering into force. To this end, the agreement contains in the Final provisions articles on Interim provision for transmission of personal data to the United Kingdom [Art. FINPROV.10A] and on Entry into force and provisional application [Art. FINPROV.11].
From this it follows:
(a) until the date on which adequacy
decisions in relation to the UK are adopted by the European Commission
under Article 36(3) of Directive (EU) 2016/680 and under Article 45(3)
of Regulation (EU) 2016/679, or
(b) until the date four months after the specified period begins, which period shall be extended by two further months unless one of the Parties objects.
This means that data exports to the UK could be seriously obstructed from as early as 1 May 2021 unless each of the two parties is willing to cooperate.
Looking from the other side, the UK has already declared the GDPR to be adequate from its perspective.
For your convenience, see the UK-EU TCA’s most relevant articles on this matter:
[pages 117 et seq.:]
TITLE III: DIGITAL TRADE
Chapter 1: General provisions
Article DIGIT.1 Objective
The objective of this Title is to facilitate digital trade, to address unjustified barriers to trade enabled by electronic means and to ensure an open, secure and trustworthy online environment for businesses and consumers.
Article DIGIT.2 Scope
1. This Title applies to measures of a
Party affecting trade enabled by electronic means.
2. This Title does not apply to audio-visual services.
Article DIGIT.3 Right to regulate
The Parties reaffirm the right to regulate within their territories to achieve legitimate policy objectives, such as the protection of public health, social services, public education, safety, the environment including climate change, public morals, social or consumer protection, privacy and data protection, or the promotion and protection of cultural diversity.
Article DIGIT.4 Exceptions
For greater certainty, nothing in this Title prevents the Parties from adopting or maintaining measures in accordance with Article EXC.1 [General exceptions], Article EXC.4 [Security exceptions] and Article SERVIN.5.39 [Prudential carve-out] for the public interest reasons set out therein.
Article DIGIT.5 Definitions
1. The definitions in Article SERVIN.1.2
[Definitions] of Title II [Services and investment] of this Heading
apply to this Title.
2. For the purposes of this Title:
(a) "consumer" means any natural person using a public telecommunications service for other than professional purposes;
(b) "direct marketing communication" means any form of commercial advertising by which a natural or legal person communicates marketing messages directly to a user via a public telecommunications service and covers at least electronic mail and text and multimedia messages (SMS and MMS);
(c) "electronic authentication" means an electronic process that enables the confirmation of:
(i) the electronic identification of a natural or legal person, or
(ii) the origin and integrity of data in electronic form;
(d) "electronic registered delivery service" means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations;
(e) "electronic seal" means data in electronic form used by a legal person which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity;
(f) "electronic signature" means data in electronic form which is attached to or logically associated with other data in electronic form that:
(i) is used by a natural person to agree on the data in electronic form to which it relates; and
(ii) is linked to the data in electronic form to which it relates in such a way that any subsequent alteration in the data is detectable;
(g) "electronic time stamp" means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time;
(h) "electronic trust service" means an electronic service consisting of:
(i) the creation, verification and validation of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and certificates related to those services;
(ii) the creation, verification and validation of certificates for website authentication; or
(iii) the preservation of electronic signatures, seals or certificates related to those services;
(i) "government data" means data owned or held by any level of government and by non- governmental bodies in the exercise of powers conferred on them by any level of government;
(j) "public telecommunications service" means any telecommunications service that is offered to the public generally;
(k) "user" means any natural or legal person using a public telecommunications service.
Chapter 2: Data flows and personal data protection
Article DIGIT.6 Cross-border data flows
1. The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. To that end, cross-border data flows shall not be restricted between the Parties by a Party:
(a) requiring the use of computing facilities or network elements in the Party's territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of a Party;
(b) requiring the localisation of data in the Party's territory for storage or processing;
(c) prohibiting the storage or processing in the territory of the other Party; or
(d) making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Parties' territory or upon localisation requirements in the Parties' territory.
2. The Parties shall keep the implementation of this provision under review and assess its functioning within three years of the date of entry into force of this Agreement. A Party may at any time propose to the other Party to review the list of restrictions listed in paragraph 1. Such a request shall be accorded sympathetic consideration.
Article DIGIT.7 Protection of personal data and privacy
1. Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade.
2. Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred.
3. Each Party shall inform the other Party about any measure referred to in paragraph 2 that it adopts or maintains.
[pages 413 et seq.:]
Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom
1. For the duration of the specified period, transmission of personal data from the Union to the United Kingdom shall not be considered as transfer to a third country under Union law, provided that the data protection legislation of the United Kingdom on 31 December 2020, as it is saved and incorporated into United Kingdom law by the European Union (Withdrawal) Act 2018 and as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019* (“the applicable data protection regime”), applies and provided that the United Kingdom does not exercise the designated powers without the agreement of the Union within the Partnership Council.
2. Subject to paragraphs 3 to 11, paragraph 1 shall also apply in respect of transfers of personal data from Iceland, the Principality of Liechtenstein and the Kingdom of Norway to the United Kingdom during the specified period made under Union law as applied in those states by the Agreement on the European Economic Area done at Porto on 2 May 1992, for so long as paragraph 1 applies to transfers of personal data from the Union to the United Kingdom, provided that those states notify both Parties in writing of their express acceptance to apply this provision.
3. In this Article, the “designated powers” means the powers:
(a) to make regulations pursuant to sections 17A, 17C and 74A of the UK Data Protection Act 2018;
(b) to issue a new document specifying standard data protection clauses pursuant to section 119A
of the UK Data Protection Act 2018;
(c) to approve a new draft code of conduct pursuant to Article 40(5) of the UK GDPR, other than a
code of conduct which cannot be relied on to provide appropriate safeguards for transfers of
personal data to a third country under Article 46(2)(e) of the UK GDPR;
(d) to approve new certification mechanisms pursuant to Article 42(5) of the UK GDPR, other than
certification mechanisms which cannot be relied on to provide appropriate safeguards for
transfers of personal data to a third country under Article 46(2)(f) of the UK GDPR;
(e) to approve new binding corporate rules pursuant to Article 47 of the UK GDPR;
(f) to authorise new contractual clauses referred to in Article 46(3)(a) of the UK GDPR; or
(g) to authorise new administrative arrangements referred to in Article 46(3)(b) of the UK GDPR.
4. The “specified period” begins on the date of entry into force of this Agreement and, subject to paragraph 5, ends:
(a) on the date on which adequacy decisions in relation to the UK are adopted by the European Commission under Article 36(3) of Directive (EU) 2016/680 and under Article 45(3) of Regulation (EU) 2016/679, or
(b) on the date four months after the specified period begins, which period shall be extended by two further months unless one of the Parties objects;
whichever is earlier.
5. Subject to paragraphs 6 and 7, if, during the specified period, the United Kingdom amends the applicable data protection regime or exercises the designated powers without the agreement of the Union within the Partnership Council, the specified period shall end on the date on which the powers are exercised or the amendment comes into force.
6. The references to exercising the designated powers in paragraphs 1 and 5 do not include the exercise of such powers the effect of which is limited to alignment with the relevant Union data protection law.
7. Anything that would otherwise be an amendment to the applicable data protection regime which is:
(a) made with the agreement of the Union within the Partnership Council; or
(b) limited to alignment with the relevant Union data protection law;
shall not be treated as an amendment to the applicable data protection regime for the purposes of paragraph 5 and instead should be treated as being part of the applicable data protection regime for the purposes of paragraph 1.
8. For the purposes of paragraphs 1, 5 and 7, “the agreement of the Union within the Partnership Council” means:
(a) a decision of the Partnership Council as described in paragraph 11; or
(b) deemed agreement as described in paragraph 10.
9. Where the United Kingdom notifies the Union that it proposes to exercise the designated powers or proposes to amend the applicable data protection regime, either party may request, within five working days, a meeting of the Partnership Council which must take place within two weeks of such request.
10. If no such meeting is requested, the Union is deemed to have given agreement to such exercise or amendment during the specified period.
11. If such a meeting is requested, at that meeting the Partnership Council shall consider the proposed exercise or amendment and may adopt a decision stating that it agrees to the exercise or amendment during the specified period.
12. The United Kingdom shall, as far as is reasonably possible, notify the Union when, during the specified period, it enters into a new instrument which can be relied on to transfer personal data to a third country under Article 46(2)(a) of the UK GDPR or section 75(1)(a) of the UK Data Protection Act 2018 during the specified period. Following a notification by the United Kingdom under this paragraph, the Union may request a meeting of the Partnership Council to discuss the relevant instrument.
13. Title I [Dispute Settlement] of Part Six does not apply in respect of disputes regarding the interpretation and application of this Article.
[* As amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020].
Article FINPROV.11: Entry into force and provisional application
1. This Agreement shall enter into force on the first day of the month following that in which both Parties have notified each other that they have completed their respective internal requirements and procedures for establishing their consent to be bound.
2. The Parties agree to provisionally apply this Agreement from 1 January 2021 provided that prior to that date they have notified each other that their respective internal requirements and procedures necessary for provisional application have been completed. Provisional application shall cease on one of the following dates, whichever is the earliest:
(a) 28 February 2021 or another date as decided by the Partnership Council; or
(b) the day referred to in paragraph 1.
3. As from the date from which this Agreement is provisionally applied, the Parties shall understand references in this Agreement to “the date of entry into force of this Agreement” or to “the entry into force of this Agreement” as references to the date from which this Agreement is provisionally applied.
Beglinger LPC | firstname.lastname@example.org | T:+41 58 585 5000 | M:+41 79 405 43 86 | www.beg.ch