After years of uncertainty, the EU-UK Trade and Cooperation Agreement finally establishes a basis for future relations. Personal data governance was an important part of the negotiations and the Agreement includes a number of provisions in this area.
For up to six months, the EU has agreed to treat the UK as effectively a part of the European Economic Area (EEA), subject to it making no significant amendment to its data protection law – which includes granting the EU ʻadequacyʼ and thereby facilitating the flow of data. This period will enable the European Commission to assess the UK for a cognate status.
The agreement also provides for the exchange of DNA, fingerprints, vehicle registration and other personal data for law enforcement and judicial purposes. Assuming, as seems very likely, that the UK is accorded adequacy, then no other country outside the EEA will have a closer personal data relationship with the EU other than Switzerland. Nevertheless, compared with the latter, a considerably more distant relationship seems likely. Although the EU and Switzerland (but not the UK) share some common regulatory machinery, this is restricted to Schengen (including EURODAC) data and is not the principal issue.
Whilst institutional collaboration matters, it is very limited in both cases. The primary difference is normative: Swiss policy shares a deep-rooted understanding of data protection which is within (and, in some respects, on the stringent side of) the EU norm. In contrast, the UK stance has often been more jaundiced, and a number associated with Brexit have argued that the EU’s approach unduly burdens both the internet economy and the fight against serious crime. Although mutual ʻadequacy’ will hopefully be maintained, we may well see considerable divergence emerge in the medium term with the consequent risks of a more fractious relationship.
Although commentary during the negotiations largely focused on the private sector, most of the Agreement’s provisions concern data sharing by public authorities for law enforcement and judicial purposes. In sum, Part Three of the Agreement sets out a framework for the continued sharing of passenger name records (PNR), criminal records and so-called Prűm data (DNA, fingerprint and vehicle registration), as well as more diffuse data exchange including in the context of UK cooperation with both Europol and Eurojust. Although approximately a dozen countries have cooperation agreements with Europol and/or Eurojust and even more have ratified the European Convention which enables the exchange of criminal record data, no other country outside the EEA and Switzerland have an agreement covering Prűm data. Moreover, even Switzerland lacks a PNR agreement with the EU, this being currently limited to Australia, the US and now the UK.
Whilst Prűm data will only be supplied via national contact point coordination, the Agreement does stress the need for 24/7 access. Moreover, although the UK has lost direct access to both the EURODAC (tyloscopy Database) and the Schengen Information System (with only piecemeal future data sharing provided for on missing or wanted persons or objects), this is largely a natural consequence of the ending of free movement. Overall, the UK will clearly enjoy the closest personal data sharing relationship with the EU outside the EEA and Switzerland.
This continued information exchange is undergirded by common data protection provisions which are specified in both Part Three and the joined Annexes. hese provisions set out standards related to inter alia purpose limitation, data quality including accuracy, necessity including time-limitation, security and integrity including as regards data breaches and (as regards PNR data) transparency. The need for independent supervisory by Data Protection Authorities (DPAs) is also stressed.
The protective provisions above are narrowly targeted on information actually transferred rather than on the wider ecosystem within which personal data is used for criminal justice purposes. At least aside from the slightly tangential issue of unsolicited direct marketing, there is also no more than the vaguest long-term commitment to right personal data protection as regards other types of processing including in the private sector. In principle, this may come as a relief to many British policymakers. At least when fighting serious crime and terrorism, the UK has found the EU’s evolving data standards especially related to bulk interception and retention increasingly difficult. Moreover, no less a figure than Michael Gove argued in the lead-up to the Brexit referendum that ‘ECJ judgments on data protection issues hobble the growth of internet companies’.
However, such discretion comes with much less commitment to enabling the broader free flow of personal data going forward. The UK currently retains data protection provisions almost identical to those within the EU, and a final provision provides that so long as this remains the case and for an interim period of up to six months the EU will treat it for data protection purposes as essentially a part of the EEA. The UK has already granted the EU data ʻadequacyʼ status. It is clearly hoped that the EU will do likewise within this interim period. Despite the new understanding of ‘adequate’ as ʻessentially equivalentʼ (GDPR, recital 104), countries with frameworks significantly different to the EU – including Israel and New Zealand – continue to be deemed adequate, and so it seems very likely that the UK will also acquire this status. Nevertheless, adequacy should not be confused with an absence of barriers to free flow. Not only may new documentation and transparency requirements apply but at least UK controllers directing goods and services to the EU market will find themselves now subject to local member state law and regulatory oversight. These realities are likely to be unwelcome for many within the data intensive business community which at one stage even advocated for the continuation of a common UK-EU regulatory ‘one-stop shop’ and UK DPA participation (including full voting rights!) in the European Data Protection Board.
Although under Theresa May the UK Government also hinted at wide-ranging regulatory cooperation after Brexit, such hopes were never very realistic. Indeed, it is notable that outside the common framework of Schengen and EURODAC systems even Switzerland has not been accorded any such a possibility. Although that might broadly suggest an equivalence between the Swiss-EU and UK-EU data relationship going forward, we should be cautious. Switzerland displays a long-standing normative commitment to data protection which is at least common and sometimes on the stringent end of that within the EU.
Indeed, the reason why the EU currently lacks a mutual PNR agreement with Switzerland is that has so far resisted calls to mandate such information collection itself. By contrast, and as previously emphasised, the UK has long been sceptical of the EU’s formally stringent approach here. In the medium term, therefore, significant divergence on data standards is quite possible. It remains imperative that any such divergence is coupled with a commitment to continued mutual adequacy and bona fide implementation of the Council of Europe’s Data Protection Convention. If these twin pillars of coordination are ensured, then a productive relationship between UK and EU on personal data remains possible even after Brexit.
David Erdos, Deputy Director, Centre for Intellectual Property and Information Law (CIPIL), Faculty of Law, University of Cambridge