Data protection under the EU-UK Trade Cooperation Agreement

The EU-UK Trade Cooperation Agreement (TCA) unsurprisingly contains extensive provisions regarding data protection.

First: the good news. The TCA stipulates that, in principle, data transfers between the European Economic Area (EEA), which includes the 27 EU member states, and the UK will not be considered as transfers between the EEA and a so-called third country (Article FINPROV.10A(1) and (2) of the TCA). 

Without such a provision, transfers from the EU to the UK would only have been possible on the basis of a so-called adequacy decision by the EU Commission (which is not yet in place), Standard Contractual Clauses, Binding Corporate Rules or, if permitted, under one of the derogations in accordance with Article 49 of the EU General Data Protection Regulation (GDPR).

The TCA provides for two qualifications to the principle of the free flow of personal data:

1. The principle only applies for a 'specified period', which starts on the entry into force of the TCA and ends on the earlier of:
   • the date of the passing of an adequacy decision by the EU Commission in accordance with Article 36(3) of the Data Protection Law Enforcement Directive ((EU) 2016/680) and Article 45(3) of the GDPR; and
   • 1 July 2021 (unless a party objects, in which case this date is moved forward to 1 May 2021). The (theoretical) problem here is that the TCA enters into force only after having been adopted by the EU Council and the EU Parliament. However, Article FINPROV.11 of the TCA stipulates that the TCA 'provisionally' applies until the 28 February 2021 or any other period determined by the Partnership Council, the body comprised of members of the UK and the EU (Article INST.1). There is no reason to believe that supervisory authorities in the EU will not respect such a provisional application.
2. The principle only applies if the data protection legislation applicable in the UK on 31 December 2020 (as incorporated in the UK European Withdrawal Act and as modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019) continues to apply and the UK does not exercise the 'designated powers' with the approval of the EU. ('Designated powers' are the powers to make amendments to certain UK data protection rules as specified in Article FINPROV.10A(3).)

The TCA does not include any provision regarding the transfer of personal data from the UK to the EU. However, the UK Information Commissioner's Office treats all EEA jurisdictions, and all jurisdictions with an existing adequacy decision from the EU Commission, as having an adequate level data protection. The UK government has also specifically stated that there are no changes to the way UK organisations transfer personal data to the EU/EEA.

Another piece of good news is the clear commitment to ensure the free flow of data to facilitate trade in the digital economy. The TCA provides for a prohibition of data-localisation requirements or the requirement to only use facilities located on the territories of a party for the processing of data (Article DIGIT.6).

The TCA emphasises the importance of data protection and the willingness of the parties to ensure a high level of data protection:

• 'The Parties affirm their commitment to ensuring a high level of personal data protection. They shall endeavour to work together to promote high international standards.' (Article COMPROV.10(1))
• 'The Parties recognise that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade, and are a key enabler for effective law enforcement cooperation. To that end, the Parties shall undertake to respect, each in the framework of their respective laws and regulations, the commitments they have made in this Agreement in connection with that right.' (Article COMPROV.10(2))

At the same time, the TCA provides for the right of the parties to adopt privacy and data protection as well as cyber-security regulation within their respective territories in general (Article SERVIN.1.1(2); Article GRP.1(3h)) and for certain areas specifically (Article DIGIT.3). 

The parties recognise that such regulation may result in more fundamental discrepancies between the different data protection regimes. Therefore, the TCA provides, for example, for the right of the parties to suspend the part (or individual titles) of the TCA on law enforcement and judicial co-operation 'in the event of serious and systemic deficiencies within one Party as regards the protection of personal data' (Article LAW.OTHER.137(2))

Very specific rules, largely reflecting the fundamental principles of the GDPR, apply, for example, in the areas of law enforcement and judicial co-operation in criminal matters (Article LAW.GEN.4), the exchange of passenger information (Article LAW.PNR.20 et seq.) and the exchange of DNA, fingerprints and vehicle registration data.