Post-Brexit arrangements on data protection between the European Union and the United Kingdom : The relationship between data, data protection and trade and the impact Brexit has on future data protection arrangements b

(1)

University of Amsterdam Amsterdam Law School

Post-Brexit arrangements on data protection between

the European Union and the United Kingdom

The relationship between data, data protection and trade and the

impact Brexit has on future data protection arrangements

between the European Union and the United Kingdom in light

of the General Data Protection Regulation

Supervisor: Dr. James Mathis Number of words: 12,125

Master Track: International and European Law: International Trade and Investment Law

(2)

As the world moved from the 20th to the 21st century, a shift from the tangible flow of physical goods to intangible flows of data and information was witnessed due to the advent of the digital age. More and more businesses moved onto the digital platform and thus data became increasingly shared and transferred on an international scale.1 The vast majority of data is transmitted, stored and collected across the globe. A tension between digital trade and data privacy arises when personal data is being transferred across national borders. The current system of data protection among different jurisdictions is fragmented with various regional regulatory approaches. The European Union (hereafter: EU) has recently adopted its General Data Protection Regulation (hereafter: GDPR) in which it recognizes data protection as a fundamental right of European citizens. The European Commission stated that privacy is not a commodity to be traded2 and thus places importance on data protection rather than the unrestricted trade of data. The United Kingdom (hereafter: UK) is the host of the largest data center market in Europe and the third largest in the world.3 Accordingly, the UK is dependent on data being transferred unburdened into and out of its territory. Brexit, meaning the UK leaving the EU, threatens to hinder the free flow of personal data for businesses because the UK will become a third country in the light of the EU’s GDPR. This forebodes that personal data of European citizens would no longer be transferred freely from the EU’s single market to the UK because the UK’s data protection regime will no longer automatically be considered adequate relative to the EU’s level of protection (Article 44 GDPR). Therefore, a stable data protection regime between the UK and the EU would be required to allow businesses to transfer personal data between the two territories post-Brexit.

Due to these circumstances, it is necessary to ask: How does data and data protection relate to trade and what impact would Brexit have on possible future data protection arrangements between the UK and the EU in light of the GDPR?

1_{United Nations Conference on Trade and Development, ‘Data protection regulations and international}

data flows: Implications for trade and development’ (2016) United Nations Publication, p.3.

2_{European Commission, ‘Key elements of the EU-Japan Economic Partnership Agreement – Memo’}

(12 December 2018), para.13.

3

Karen McCullagh, ‘Brexit: potential trade and data implications for digital and ‘fintech’ industries’ (2017) 7:1 International Data Privacy Law, pp.4f.

(5)

2 This thesis will first provide a short overview of what data is and how it is important in today’s international trade. Following this, the approaches to managing data will be analyzed, particularly from an international as well as from a regional level (with an emphasis on the EU rules on data protection). The third section addresses a general background of Brexit and the Draft Withdrawal Agreement, which is followed in the final section, by a determination of possible post-Brexit arrangements on data protection and data flows between the EU and the UK. This thesis will solely look at the commercial perspective of data flows and data protection rather than a law enforcement one. This is due to the reason that the scope of the thesis is trade related and thus the exchange of information and data from a law enforcement perspective, such as fighting terrorism, is outside of its scope.

In order to provide an answer to the research question, the doctrinal research method will be used as this thesis is aimed at studying legal concepts, rules, statutes and cases. Literal and legal documents will be analyzed and applied in order to provide the reader with a general understanding about the interconnection of data, data protection and trade, the effects of Brexit, and possibilities and obstacles for an EU-UK post-Brexit data protection arrangement.

(6)

3

2 Data, Data Protection and Trade

Geographical borders are becoming less relevant in the 21st century with the emergence of a globally connected world. Through the development of the internet and new technologies, a digital economy has emerged in which the digital trading system is based on the exchange of data.4 The internet is used to manage global supply chains, communicate with customers all over the world and access data stored in scattered data centers (the cloud).5 Data flows provide information, search, financial transactions and communications as well as inter– and intra–company traffic.6 An increasing number of businesses and practices have moved onto the digital platform, allowing data to be increasingly shared and exchanged internationally.7 Information and data flows have become a tradeable and highly valuable commodity as businesses rely and depend on data flows to access markets, enable transactions and manage supply chains around the world.8

The first question that arises in this context is what the term ‘data’ entails. Generally, global data flows primarily consist of ‘information, searches, communications,

transactions, videos and intracompany traffic’.9

This wide scope demonstrates that data flows can enable every kind of cross-border data transfer. As data can be used in numerous ways, it has become a fundamental asset in global trade and sharing of data has become essential to enable commercial transactions.10 However, problems arise when traded data is characterized as ‘personal data’. Many businesses use customers’ personal data to provide individual advertisement and personalized services and this processing of data poses a danger to the privacy and personal liberties of people.

4_{Jessica Lauren Koffel, ‘GDPR adequacy decisions vs GATS: how may the EU's privacy and digital}

trade commitments be conciliated within a GDPR adequacy decision on cross-border personal data flows?’ (2018) 24:3 International Trade Law & Regulation, p.122.

5_{Joshua Paul Meltzer, ‘The Internet, Cross-Border Data Flows and International Trade’ (2014) 2:1}

Asia & the Pacific Policy Studies, pp.90f.

6_{Tech UK, ‘The UK digital sectors after Brexit – An independent report commissioned by techUK’}

(2017) Frontier Economics, p.35.

7_{cf United Nations Conference on Trade and Development (n 1) p.3.} 8_{cf Koffel (n 4) p.124 ;}

cf Tech UK (n 6) p.35.

9_{McKinsey Global Institute, ‘Digital Globalization: The New Era of Global Flows’ (March 2016), p.4.} 10

Gianpaolo Maria Ruotolo, ‘The EU data protection regime and the multilateral trading system: Where dream and day unite’ (2018) 5:23 QIL, p.7.

(7)

4 Furthermore, difficulty arises at a multilateral level as there is no general definition of what ‘personal data’ entails.11

The EU, in its GDPR, specifically defines ‘personal data’ as ‘any information relating

to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’12 At an international level, according to the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of the Organization for Economic Co-operation and Development (hereafter: OECD), ‘personal data’ means, according to paragraph 1.b, ‘any information relating to an identified or identifiable individual (data

subject)’. Both of these definitions show that the scope of what personal data entails is

rather broad. For example, something like an email address combined with an IP address, location data, someone’s job or political opinion can be enough to identify a natural person and thus qualify as personal data.13

Data can cross many geographical borders without the knowledge of the sender or the recipient. Thus, ensuring an adequate level of protection of personal data has become a key concern of governments.14 Cross-border data flow via the internet is one of the key aspects for all kinds of trading activity. For instance, about half of all trade in services is enabled through data flows and cross-border data flows account for 3.8 per cent of the global Gross Domestic Product (hereafter: GDP).15 The European Commission stated that the European citizens’ personal data value has the potential of increasing nearly €1 trillion annually by 2020.16

Compared to trade in physical goods, the majority of restrictions on internet based services are not custom duties and tariffs,

11

cf Koffel (n 4) p.125.

12_{Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the}

protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/2, Art.4(1).

13_{European Commission, ‘What is Personal Data’ (2019)}

<https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en> (accessed 15 July 2019).

14_{cf Meltzer (n 5) p.93.} 15_{cf Tech UK (n.6) p.10.} 16

European Commission, ‘The EU Data Protection Reform and Big Data Factsheet’ (January 2016), p.1.

(8)

5 but rather domestic regulatory measures affecting data flow into and out of the physical borders of a country, e.g. regulations relating to privacy.17 Therefore, due to the expansion of the digital economy, data protection is an increasingly important field and directly relatable to trade in goods and services in the digital economy. From the above assessment, it becomes apparent that the free flow of data has to be balanced against requirements for data protection, because, on the one hand, businesses depend on data flows in their daily trading operations, but, on the other hand, individuals have an interest in having their personal data protected.18 Due to the increase in cross border data flows and data collection, the development of safeguards for individuals with respect to personal data cannot be achieved exclusively at the national level but also require cross border data arrangements.

17_{Andrew D. Mitchell and Neha Mishra, ‘Data at the Docks: Modernizing International Trade Law for}

the Digital Economy’ (2018) 20:4 Vand. J. Ent. & Tech. L., p.1091.

18

Maria Vasquez Callo-Müller, ‘GDPR and CBPR: Reconciling Personal Data Protection and Trade’ (2018) 23 APEC Policy Support Unit, para.IV.4.

(9)

6

3 Approaches to Data and Data Protection

The approaches to data protection across the globe are different. First, it is necessary to look at the international perspective and analyze how far harmonization has come in this field of law. Further, the three most common approaches to data are laid out in order to understand the regional differences to the concept of data protection. As this thesis focusses on the EU and the UK, some of the EU’s more recent free trade agreements (hereafter: FTAs) will be looked at in order to consider their approaches to data protection. This is necessary for and linked to the discussion in section five and the possible post-Brexit data arrangements between the EU and the UK. In that regard, it is necessary to introduce the GDPR as a regional model to data protection. 3.1 International Level

The first internationally agreed set of privacy principles was laid down in the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It serves as recognition of the importance of (personal) information in the global economy as well as the growing concerns about the possible impact on individuals’ rights due to automated decision making. The Guidelines are based on principles, such as collection and use limitations, openness, accountability, etc. (Part 2 OECD Guidelines) and are generally neutral with respect to technology.19 Overall, they focus on a balance between data flows and data protection.20 Even though these guidelines are non-binding, they can be followed by any country and serve as a reference point and guide for domestic governments and policy makers. Thus, their real impact is the influence on the content of domestic privacy laws and their set of privacy principles has indeed influenced national data protection legislation within the OECD Member Countries.21

Further, due to the interplay between trade and data protection, it is necessary to look at the World Trade Organization (hereafter: WTO) Agreements because this is the

19_{OECD, ‘Thirty Years After – The OECD Privacy Guidelines’ (2011), p.11.}

20_{OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data‘}

<http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpers onaldata.htm> (accessed 15 July 2019), para.25.

(10)

7 multilateral forum specifically designed to regulate trade at the international level.22 So far, there does not exist a multilateral agreement on the protection of personal data. WTO rules were negotiated in the early 1990s and are largely designed for international trade in physical goods and services delivered in person rather than online trade.23 At the WTO, the Members aimed at introducing, within the multilateral trading scheme, specific rules regulating the abuse of digital trade restrictions.24 Further, in 2017 at the Buenos Aires Ministerial Conference, the WTO Members agreed to a political commitment of excluding digital products bought through electronic instruments and delivered electronically from the application of tariffs.25 However, these efforts focus on the free trade aspect of data flows rather than on the privacy angle. Furthermore, there are plurilateral agreements, like the Information Technology Agreement, dealing with trade in information technology products. However, these are mostly tariff cutting mechanisms and do not address data protection.26

The WTO legal framework acknowledges the importance of cross-border data flows to a limited extent. Overall, the very core of the trading system that can be found in the General Agreement on Tariffs and Trade is a physical, analog one and this nature has not changed over time regardless of the increasing complexity of trade and digitalization of the economy.27 However, the General Agreement on Trade in Services (hereafter: GATS), which is the international trade agreement containing rules for international trade in services across different sectors, permits, in accordance with Article XIV(c)(ii), trade restrictions necessary for the protection of privacy of individuals in relation to the processing and dissemination of personal data. This provision clearly recognizes the need for the protection of personal data. Additionally, the Annex to the GATS dealing with telecommunications contains provisions that acknowledge the importance of free cross-border data flows while considering privacy and data protection. It however has to be pointed out that these provisions

22_{Michael J. Trebilcock, An Advanced Introduction to International Trade Law (Edward Elgar}

Publishing, 2015), para.1.5.

23_{cf Meltzer (n 5) p.97.}

24_{Mira Burri, ‘The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal}

Adaptation’ (2017) 51:65 Davis Law Review, sec.I.

25_{cf Ruotolo (n 10) p.9.} 26

cf Burri (n 24) p.78.

(11)

8 apply exclusively to the telecommunications sector and not to any other area and thus only cover personal data protection to a very limited extent.28

Despite these few outlined developments, the WTO system, until recently, had not reacted to the vast changing environment surrounding the internet and data protection considerations had not been addressed directly.29 To remedy this situation, 76 WTO Members have confirmed their announced intention during the 10th ministerial conference in 2017 to negotiate about trade-related aspects of electronic commerce (hereafter: e-commerce) at the end of January 2019. The, to be negotiated, rules are intended to aim at enhancing opportunities and addressing challenges of e-commerce, including the improvement of consumers’ trust, tackle barriers preventing cross-border sales and e-contracts as well as data protection.30 As can be seen by the published position of the EU, it is most likely that data protection will remain subject to safeguards and regulations at a national level and will not be dealt with at a multilateral level in substantive terms.31 However, countries such as the United States of America (hereafter: USA) and New Zealand have circulated that the internet should be kept free from sovereign restrictions and proposed to remove existing restrictions on (personal) data flows and apply a necessity test, meaning that data flows must be necessary to achieve legitimate policy objectives. At the same time, China stressed the importance for the need of appropriate safeguards.32 Thus, it remains to be seen how the parties negotiate a compromise to convey the interest of those countries, such as the USA, that intend for unrestricted trade and the interest of those countries, like the EU, that aim at very high privacy standards.

3.2 Free Trade Agreements

There is a rising trend of including provisions on e-commerce into FTAs. More recent negotiated trade agreements show a direct recognition of privacy as well as data protection as an important public policy objective for governments and as a necessary condition for stimulating international trade. One example of this trend is Article 16.4

28_{cf Mitchell and Mishra (n 17) pp.1091f.} 29

cf Burri (n 24) p. 93.

30_{European Commission, ’76 WTO partners launch talks on e-commerce’ (2019)}

<http://trade.ec.europa.eu/doclib/press/index.cfm?id=1974> (accessed 15 July 2019).

31_{Joint Statement on Electronic Commerce – EU Proposal for WTO Disciples and Commitments}

relating to Electronic Commerce [2019] WTO INF/ECOM/22, art.2.8(2).

32

Third World Network Information Service on WTO and Trade Issues, ‘Concerns over US push to bring TTP rules into digital trade deal’ (Jul19/05).

(12)

9 of the Comprehensive and Economic Trade Agreement (hereafter: CETA) between the EU and Canada. This Article states that ‘[e]ach Party should adopt or maintain

laws, regulations or administrative measures for the protection of personal information of users engaged in electronic commerce and, when doing so, shall take into due consideration international standards of data protection of relevant international organi[z]ations of which both Parties are a member.’ Another example

is Article 14.8 of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership which entered into force in December 2018 between Australia, Canada, Japan, Mexico, New Zealand, Singapore and Vietnam. The second subparagraph of this Article reads that ‘[…] each Party shall adopt or maintain a legal framework that

provides for the protection of the personal information of the users of electronic commerce. In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies.’ Hence, FTAs can be used as evidence for recognizing the rising

relevance of the protection of personal data for international trade.33 However, the language of provisions among FTAs around the globe is different, ranging from very broad provisions aiming at the adoption of domestic regulations to provisions referring to specific international standards.34 This arbitrary and often conflicting nature of rules on cross-border data flow in FTAs has the potential of causing a fragmented and disrupted global framework to digital trade, including data protection.35

In order to get a better idea of how the EU incorporates data protection arrangements in its FTAs with third countries, three more recent FTAs will be illustrated.

The EU entered into a FTA with South Korea in 2011. It contains strong safeguards for the protection of privacy, in particular with regard to the transfer of personal data. This is laid down in Article 7.43(a). Furthermore, the parties agreed, in accordance with Article 7.48(2), that the development of e-commerce must be fully compatible with international standards of data protection. This is based on the objective of

33_{Svetlana Yakovleva and Kristina Irion, ‘The Best of Both Worlds? Free Trade in Services, and EU}

Law on Privacy and Data Protection’ (2016) 2:2 European Data Protection Law Review, p.208.

34_{José-Antonio Monteiro and Robert Teh, ‘Provisions on Electronic Commerce in Regional Trade}

Agreements’ (2017) WTO Working Paper, pp.51-53.

(13)

10 ensuring confidence of users of e-commerce and refers to international data protection standards as the ones laid down by the OECD.36

Next, the EU concluded a CETA with Canada in 2017. As already explained above, this agreement contains a specific provision in Article 16.a discussing trust and confidence in e-commerce. The EU deepened privacy commitments of third countries by incorporating this provision within the FTA.37

The FTA between the EU and Japan, which was negotiated in 2018, contains, in Article 12, a provision on the free flow of data. This article does, however, only refer an obligation to the parties to include an article on free data flow within three years after the entry into force of the agreement. Such a provision clearly signals that the parties have been discussing data flows during the negotiations and thus demonstrates that the dialogue on data flows is evolving.38 In a press release, the European Commission determined that itself and the Japanese government have reached a satisfactory conclusion on the level of each other’s rules on data protection and intent to move to the adoption of a mutual adequacy agreement.39 The mutual adequacy agreement created the world’s largest area of data transfer that is considered safe due to the high level of personal data protection in the two territories.40

To conclude, the multilateral system of the WTO is currently clearly lagging behind recently concluded FTAs in addressing the issue of the digital economy and data protection.

3.3 Regional Level

At a regional level, one can distinguish between three major approaches relating to data flows.

The first one is the market-based approach, which provides a leading role within the technology industry for implementing policies that balance consumer interest with

36_{cf Mitchell and Mishra (n 17) p.1100.} 37_{cf Buri (n 24) p. 107.}

38

ibid. p.110.

39_{An adequacy decision was indeed adopted by the EU for Japan on the 23}rd_{of January 2019.}

European Commission Press Release Database, ‘European Commission adopts adequacy decision on Japan, creating the world's largest area of safe data flows’ (2019) <http://europa.eu/rapid/press-release_IP-19-421_en.htm> (accessed 15 July 2019).

40

European Commission, ‘Key elements of the EU-Japan Economic Partnership Agreement’ (2018) <http://trade.ec.europa.eu/doclib/press/index.cfm?id=1955> (accessed 15 July 2019).

(14)

11 commercial ones in the area of e-commerce. The aim of this approach is to achieve more innovation and growth. Trade agreements that are led by countries following this approach tend to incorporate more liberalized provisions towards digital trade. The USA is one of the countries that follow this approach. This approach is, however, criticized for favoring the technology industry to a disproportionate extent.41 With regard to data protection, countries like the USA focus on self-regulation, meaning that norms are mainly industry driven and left to voluntary compliance by companies in the absence of biding data protection legislation.42 This leads to a corporate rather than legislative privacy management.43

A second, common approach, is the interventionist one, which is used by the EU, and incorporates a high degree of regulatory policies to directly intervene in regulating data flows. The resulting domestic policies tend to set strong legal requirements to protect consumers’ rights and are often influenced by civil society organizations. At the same time, the benefits of liberalizing digital trade are acknowledged and taken into account.44 In order to develop and oversee rules that protect individual privacy rights, government boards are created. This approach effectively forces corporations to pay effective attention to privacy protection of citizens personal data.45

Lastly, one can identify the guarded approach where countries adopt a cautious attitude towards regulating the internet while exercising strong measures regarding data protection, censorship or cybersecurity in order to protect domestic interests. One major advocate of this approach is China.46 China, for example, introduced a cyberspace law, including cloud-commuting restrictions, which impose extensive local storage requirements and thus excludes foreign firms and products from the Chinese market.47

41_{cf Mitchell and Mishra (n 17) p.1084.}

42_{Tiwalade Adelola, Ray Dawson and Firat Batmaz, ‘Privacy and data protection in e-commerce}

indeveloping nations: evaluation of different data protection approaches’ 6 International Journal of Digital Society, p.953.

43_{Kenneth Bamberger and Deirdre Mulligan, Privacy on the ground – Driving Corporate Behavior in}

the United States and Europe (MIT Press, 2015 ), p.8.

44_{cf Mitchell and Mishra (n 17) p.1085.} 45_{cf Bamberger and Mulligan (n 43) p.8.} 46

cf Mitchell and Mishra (n 17) p.1085.

(15)

12 It becomes apparent from these approaches that data flow regulations are influenced by complex political aspects such as innovation, liberalization and consumers as well as privacy protection. Due to these divergent approaches and attitudes towards e-commerce, it is difficult to implement uniform trade rules at a multilateral level.48 3.4 The EU’s Data Protection Regime

The GDPR is the data protection legislation of the EU and succeeded the 1995 EU Data Protection Directive. It was adopted by the EU in April 2016 and applies since 25th May 2018 in all 28 Member States of the EU (Article 99 GDPR). The imposition of obligations on the collection, processing and transfer of personal data to businesses established within the EU but also certain third country businesses, is the aim of the GDPR.

Further, it is meant to provide a very high standard of personal data protection as an expression of the fundamental right of EU citizens to privacy as laid down in Article 8 of the Charter of Fundamental Rights of the European Union (hereafter: CFR) (preamble (1) GDPR). Article 8 of the CFR generally proclaims a right to data protection in paragraph one, but additionally lays down the foundations of the EU’s data protection framework in paragraphs two and three. Therein, it establishes that the processing of personal data has to be fair and on the basis of consent of the persons concerned, as well as that everyone has the right of access of and rectification to collected data. Furthermore, it requires compliance with these rules to be subject to control by an independent authority. In order to substantiate the protection of this fundamental right, the EU imposes strong obligations for those that control and process personal data under the GDPR.49

The GDPR is applicable to processing (Article 4(2) GDPR) of personal data (Article 4, 9 or 10 GDPR) by automated or non-automated decision making (Article 2 GDPR) that does not fall within one of the exceptions listed in Article 2(2) of the GDPR. Its territorial scope extends to the establishment principle (Article 3 and Preamble (22) GDPR). The obligations under the GDPR do not only apply within the EU borders but extraterritorially to businesses that provide goods and services or monitor behavior of

48

cf Mitchell and Mishra (n 17) p.1087.

(16)

13 EU citizens (Article 3(2) GDPR). Thereby, it creates a level playing field between European and third country companies by requiring them to apply the same rules. Due to the extraterritorial scope of the GDPR, rules are necessary that regulate transfer of data to third countries, meaning non-EU Member States. Articles 44 to 50 of the GDPR govern the rules under which personal data of European citizens may be transferred outside of the EU borders. In order to ensure free data flows between third countries and the EU, an adequacy decision by the European Commission is necessary (Article 45 GDPR). If an adequacy decision cannot be reached, data transfer is only possible by having appropriate safeguards in the form of binding corporate rules, contract clauses, codes of conduct or certification mechanism in place (Article 46 GDPR). In absence of either of these options, transfer of data is only possible through derogations in specific cases that are subject to specific requirements (Article 49 GDPR). These possibilities will be discussed in more detail in section 5.

(17)

14

4 Brexit

The British population voted in a referendum in favor of the UK leaving the EU and the UK’s then prime minister, Theresa May, gave formal notice of the intent to leave the EU under Article 50 of the Treaty on the Functioning of the European Union (hereafter: TFEU), on 29th March 2017.50 Article 50 of the TFEU lays down the process for any Member State intending to leave the EU and establishes a three-year negotiation period, meaning that the UK was scheduled to leave the EU on 29th March 2019. At the request of the UK, this deadline has been extended to 31th October 2019.51 In order to ensure a regulated Brexit, the EU and the UK have produced a 585-page Draft Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as agreed at negotiators' level on 14th November 2018 (hereafter: Draft Withdrawal Agreement) which, if agreed on by the UK parliament, is a legally binding text setting out the terms of the UK leaving the EU. So far, it remains unclear what form Brexit will take.

4.1 The Draft Withdrawal Agreement on Post-Brexit Data Arrangements

The Draft Withdrawal Agreement lays down the arrangements for the withdrawal of the UK from the EU and sets the frames for their future relationship. The Agreement’s objective is to ensure an orderly withdrawal. For this, both parties have agreed on a so-called transition or implementation period. This period describes the time immediately after the UK leaves the EU, but before the treaty governing the future relationship between the UK and the EU comes into force. The transition/implementation period is intended to last until the end of 31st December 2020 (Article 126 Draft Withdrawal Agreement). During this period, international agreements and EU law will remain applicable in the UK (Article 127(1) Draft Withdrawal Agreement). In the context of data protection, this entails that the GDPR continues to apply to the UK during the transition/implementation period.

50_{Theresa May letter to President Tusk [29th March 2017]}

<https://www.consilium.europa.eu/media/24079/070329_uk_letter_tusk_art50.pdf> (accessed 15 July 2019).

51

European Council Decision taken in agreement with the United Kingdom of 11 April 2019 extending the period under Article 50(3) TEU [2019] EUCO XT 20013/19.

(18)

15 With regard to the use of data, the UK and the EU agreed that the UK has to continue to apply the EU’s data protection rules to personal data that was transferred into the UK during EU membership even after the end of the transition/implementation period (Article 71 Draft Withdrawal Agreement). This obligation under the withdrawal agreement ends when the EU has established an adequacy decision in accordance with Article 45 of the GDPR, meaning that the personal data protection regime of the UK would be recognized as providing data protection that is essentially equivalent to that in the EU (Article 71(2) and (3) Draft Withdrawal Agreement). The adequacy decision process entails the EU assessing the data protection regime applicable in the UK in the light of Article 45(2) of the GDPR. The outline of the political declaration on the future relationship, which was published along with the Draft Withdrawal Agreement, states that the EU will ‘endeavor’ to adopt an adequacy decision in relation to the UK by the end of 2020.52

If no adequacy decision can be reached after the end of the transition/implementation period, the data already received during UK membership to the Union remains subject to the essentially equivalent standard of protection under the withdrawal agreement (Article 71(1) Draft Withdrawal Agreement). There is a parallel provision for UK personal data in the EU, which will be given the same level of protection as is accorded to data obtained from any other Member State (Article 73 Draft Withdrawal Agreement). This kind of safety net does however not provide any mechanism for the transfer of future data flows between the UK and the EU.

4.2 Possible Brexit Scenarios in relation to Data Flows between the EU and the UK While the UK is a Member State of the EU and its single market, the UK’s level of data protection is, according to the GDPR, automatically considered to be consistent with EU standards. The GDPR is a regulation, meaning that it is, in accordance with Article 288 of the TFEU, binding and directly applicable in the UK. Consequently, businesses can transfer personal data freely within the EU without any additionally safeguards being necessary. After Brexit, this will no longer automatically be the case because the UK, as a non-EU Member State, is going to be a third country in the light of the GDPR. Therefore, its data protection regime, according to Article 44 of the

52

Political declaration setting out the framework for the future relationship between the European Union and the United Kingdom [2018] XT 21095/18, para.9.

(19)

16 GDPR, will no longer be considered adequate for the purpose of an unburdened transfer of personal data between the UK and the EU.

One has to make a distinction between two Brexit scenarios that are still possible, meaning a soft or a hard Brexit.

4.2.1 Soft Brexit

First, the UK could decide to withdraw from the EU in the form of a soft Brexit, meaning that the UK would leave the EU with some kind of withdrawal agreement in place, such as the one that has been drafted between the EU and the UK, but has yet to be accepted by the UK parliament. The UK would still become a third country in the light of the GDPR, but the transition/implementation period would allow for the negotiation of future data arrangements while allowing the free transfer of data between the two territories.53 Further, during the transition/implementation period, EU law, including the GDPR, would continue to apply in the UK (Article 127(1) Draft Withdrawal Agreement). Possibilities for data arrangements between the UK and the EU after the transition/implementation period are either an adequacy decision or, if an adequacy decision cannot be reached, binding corporate rules, contract clauses, codes of conduct or certification mechanisms have to be put in place by businesses themselves. The last resort in the absence of either of these options would consist in derogations that allow for the transfer of data in specific cases.54

The same legal framework would apply if the UK decided to stay in the EU’s customs union because the UK would not be an EU Member State anymore and become a third country under the GDPR. Thus, the UK would be required to bring its data protection laws in line with the EU acquis. This aspect does not constitute a customs union requirement as such but rather a consideration under Article 45 of the GDPR to possibly be granted an adequacy decision.55

With regard to the future trade relationship between the EU and the UK, it remains a possibility that the EU and the UK will conclude some form of a FTA. In light of the

53_{European Commission Press Release Database, ‘Brexit Negotiations: What is the Withdrawal}

Agreement’ (2018) <http://europa.eu/rapid/press-release_MEMO-18-6422_en.htm> (accessed 15 July 2019).

54

cf GDPR (n 12), Art.44.

(20)

17 recent FTAs concluded between the EU and third countries outlined in section 3.2 it is very likely that such an agreement would include a provision on data protection. If the UK were to not have secured an adequacy decision by the time of the conclusion of a potential FTA, it is possible that the provision on data protection would look similar to the one in the FTA between the EU and Japan or South Korea. In the case that the UK were to have already secured an adequacy decision by the time it would enter into a trade agreement with the EU, the provision in this agreement might look more like the one in the EU’s CETA with Canada. This is due to the reason that Canada concluded a CETA after its data protection regimes were already recognized as adequate in the eyes of the European Commission.56 However, in either case, such a provision in a FTA/CETA cannot be the basis for the free flow of data between the EU and the UK as such, but further legal safeguards will be necessary. In case of the latter style CETA, this aspect would already be covered in an existing adequacy decision while in the former illustrated case, these further legal safeguards would still need to be put in place.

However, there is a possible scenario under the soft Brexit where the UK would not become a third country in the light of the GDPR. This would be the case if the UK decided to leave the EU but to remain in the European Economic Area. The GDPR would remain applicable and the UK’s data protection regime would automatically be considered adequate and neither an adequacy decision nor further safeguards would be necessary. This is due to the reason that the EU data protection rules apply to the European Economic Area in the same way as to EU Member States.57

4.2.2 Hard Brexit

The second scenario is that of a hard Brexit, meaning a no deal Brexit, which would entail that the UK leaves the EU with no agreement. There would be no transition/implementation period as laid down in the withdrawal agreement and the UK would become a third country in the light of the GDPR from the minute of

56_{The adequacy decision was granted in 2001 while the CETA was entered into in 2017.} 57_{European Commission, ‘Rules on international data transfers’ (2019)}

<https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/rules-international-data-transfers_en> (accessed 15 July 2019).

(21)

18 leaving.58 From that moment onwards, the UK would not be bound by the GDPR as it would become inapplicable. However, even though the UK could decide to comply with the GDPR after the day it leaves the EU, the transfer of data between the UK and the EU has to be based on future legal instruments as laid down in the GDPR (Article 44 GDPR). Consequently, there would not exist any arrangement on the transfer of personal data between the two territories and EU companies would in principle not be allowed to transfer personal data to the UK until other safeguards are put in place. These safeguards do not differ from the ones applicable in the case of a soft Brexit.59 Nevertheless, the difference is the time provided for the negotiation and putting in place of these arrangements. Further, from the EU side, it was communicated that there will be no special contingency measure for data flows in case of a no deal Brexit.60

Concluding, all possible Brexit scenarios, except for the UK staying in the European Economic Area, require some form of legal mechanism in order to allow the free flow of data between the EU and the UK and this is essentially based on the UK’s data protection regime. These legal arrangements will be elaborated on in the following section.

58_{Andrew Murray, ‘Data transfers between the EU and UK post Brexit?’ (2017) 7:3 International Data}

Privacy Law.

59

European Commission Notice to Stakeholders, ‘Withdrawal of the United Kingdom from the Union and the EU rules in the Field of Data Protection’ (2018) < https://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=611943> (accessed 15 July 2019).

60_{European Commission, ‘Meeting Between the Secretary-General and Representative of Vodafone}

Group Plc.’ (2019) Ref.Ares803811

<https://www.asktheeu.org/en/request/6328/response/20318/attach/3/20%2012%202018%20Flashnote %20Vodafone%20Meeting%20Redacted.pdf> (accessed 15 July 2019).

(22)

19

5 Possible Post-Brexit Arrangements on Data Protection between the EU and the UK

Data flows from the UK to the EU constitute three-quarters of all data from the UK and thus 75 per cent of the UK’s data transfers are with other EU Member States.61 Over 70 percent of trade in services in the UK is enabled by data flows, including personal data.62 Trade in services is of particular importance to the UK as 80 percent of its GDP originates from this sector.63 These numbers demonstrate the importance of having a regulated data transfer arrangement between the UK and the EU post-Brexit. Without putting in place an effective data protection framework, which provides for data exchange between the two territories, both are likely to suffer significant financial losses.64 Furthermore, the UK is the most popular EU destination for technology company start-ups and has the largest internet economy in relation to its GDP percentage compared to the other Group of Twenty countries. 65 The UK can be characterized as a digitized, information-driven, services-oriented economy, which clearly relies on the free flow of data across national borders.66 The attractiveness of the UK would clearly diminish if barriers to the free flow of data were to be put in place because these would have substantial economic repercussions between the UK and the EU.

Consequently, an effective arrangement between the UK and the EU ensuring the exchange and thus the protection of personal data has to be established in order to provide certainty for businesses in both territories.

5.1 Possible Post-Brexit Effects on the Level of Data Protection in the UK

The UK recently adopted the Data Protection Act 2018 (hereafter: DPA 2018) replacing the Data Protection Act 1998 which mirrored the EU Data Protection

61_{cf Tech UK (n 6) p.37.} 62

Aysem Diker Vanberg and Maelya Maunick ’Data protection in the UK post-Brexit: the only certainty is uncertainty’ (2018) 32:1 International Review of Law, Computers & Technology, p.190.

63_{HM Government, ‘The exchange and protection of personal data – a future partnership paper’ (2017)}

<https://www.gov.uk/government/publications/the-exchange-and-protection-of-personal-data-a-future-partnership-paper> (accessed 15 July 2019), para.6.

64_{cf Vanberg and Maunick (n 62) p.190.}

65_{Department for Digital, Cultur, Media & Sport, ‘A New Data Protection Bill – Our Planned}

Reforms’ (2017)

<https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/635 900/2017-08-07_DP_Bill_-_Statement_of_Intent.pdf> (accessed 15 July 2019), p.4.

(23)

20 Directive. The DPA 2018 implements the GDPR into UK domestic law but includes a few key derogations and exemptions from the GDPR.67 Thus, the standards of data protection between the UK and the EU are to a large extent the same. What might, however, cause difficulties in the context of data protection is the fact that the UK government intends to exclude the CFR after Brexit (Article 5(4) of the Draft Withdrawal Agreement). As has been illustrated above, Article 8 of the CFR is central to the GDPR and its effect. The UK not having an equivalent right under its domestic law would lead to a major derogation of its approach to data protection compared to that of the EU itself. Additionally, post-Brexit decision of the EU institutions and in particular decisions of the Court of Justice of the European Union (hereafter: CJEU) would no longer be binding on the UK.68 This could cause a divergence of the data protection laws between the UK and the EU in the future.

5.2 Adequacy Decision

The envisaged outcome under the Draft Withdrawal Agreement is that the European Commission will grant an adequacy decision to the UK and thereby ensure free flow of data between the two territories. According to Article 45(1) of the GDPR, an adequacy decision entails that the transfer of personal data to a third country does not require any additional authorization. It would ensure the free flow of data between the EU and the three European Economic Area Member Countries and the UK without any restrictions. From the European Commission’s practice it can be seen that there is not just one form of adequacy decision possible. Rather, the European Commission can grant a full adequacy decision or a partial one.

5.2.1 Procedural Aspects under the GDPR

The procedural aspects of an adequacy decision are regulated in Article 45 of the GDPR. It lays out a formal, legislative decision procedure. First of all, it is legally not possible to receive an adequacy decision before becoming a third country.69 Further, the CJEU ruled in the Schrems case that an ‘adequate’ level of protection corresponds

67_{John Woodhouse and Arabella Lang, ‘Brexit and date protection’ (2017) House of Commons}

Library, p.17.

68

cf Vanberg and Maunick (n 62) p.194.

(24)

21 to ‘essentially equivalent’ rather than an identical level of protection.70 This decision set a high threshold on data protection laws of third countries in order to freely exchange personal data with the EU because it requires that the laws of the third country have to prove, in practice, to be effective for ensuring an adequate level of protection. This takes into account the substance of the privacy rights, their effective implementation as well as supervision and enforcement.71

The adoption of an adequacy decision is initiated by a proposal of the European Commission. Article 45(2) of the GDPR lays down the elements that have to be taken into account by the European Commission when deciding about the adequate level of protection. First, it will look at the rule of law, respect for human and fundamental rights and data protection rules of the third country in question (Article 45(2) (a) GDPR). Further, the third country has to have effective independent supervisory authorities responsible for ensuring and enforcing compliance with data protection rules (Article 45(2) (b) GDPR). Lastly, international commitments entered into by the third country are taken into account (Article 45(2) (c) GDPR). Thus, this analysis includes the content of the applicable rules and the means for ensuring their effective application. For these considerations, an opinion of the European Data Protection Board (Article 70(1) (s) GDPR) and the approval from the committee of representatives from the EU Member States are required.72 The end of the process is a decision by the European Commission declaring whether (or not) the third country provides an adequate level of protection (Article 45(3) GDPR).

The effect of an adequacy decision is that personal data can flow from all EU Member States to that particular third country without any further safeguards being required (Article 45(1) GDPR). However, an adequacy decision is subject to periodical review by the European Commission at least every four years in order to determine whether the third country's laws are still suitable to qualify as adequate in light of developments (Article 45(3) GDPR). This general time frame has to be adjusted to the third countries’ particular circumstances and thereby a shorter cycle of review could

70

Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI:EU:C:2015:650 para.73.

71_{European Commission ‘Communication from the Commission to the European Parliament and the}

Council, Exchanging and Protecting Personal Data in a Globalised World’ COM (2017)7, pp.6-7.

72_{European Commission, ‘Adequacy Decision’ (2019)}

<https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en> (accessed 15 July 2019).

(25)

22 be necessary. Consequently, adequacy decisions can be described as ‘living

documents’ that need to be periodically monitored by the European Commission.73

According to Article 45(5) of the GDPR, the European Commission has the right to appeal, amend or suspend existing adequacy decisions. Moreover, this may be required by a submission made by the European Parliament or Council on the grounds that the particular adequacy decision exceeds the implementing powers provided for in the GDPR. Additionally, the CJEU has the authority to declare an adequacy decision invalid on the basis that it breaches EU law.74 An example for this is the case of the Safe Harbor Agreement between the EU and the USA that was declared invalid because it was considered to not be essentially equivalent to the EU Data Privacy Directive.75

The advantage of an adequacy decision is that it would provide the most certain arrangements for data flows between the UK and the EU for businesses because they do not have to apply any other safeguards but are rather able to freely transfer data to the EU and freely receive data from the EU, as long as the adequacy decision is in place. A disadvantage of an adequacy decision is that it is complex and time consuming to negotiate and to administer. Generally, there is no set time frame for the granting of an adequacy decision. The most recent negotiated adequacy decision with Japan took about two years76 and the agreement on replacement of adequacy decision between the EU and the USA took around two and a half years to be concluded.77 So far, the fastest adequacy decision was granted to Argentina with an 18 months negotiation period.78 This relatively long time frame could potentially pose a problem for the EU-UK relationship, in particular with regard to a hard Brexit.

The European Commission has recognized Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland,

73

cf European Commission (n 71) p.8.

74_{cf GDPR (n 12) preamble(143).} 75_{cf C-362/14 (n 70) para.106.}

76_{European Commission Press Release Database, ‘Joint statement by Commissioner Věra Jourová and}

Haruhi Kumazawa, Commissioner of the Personal Information Protection Commission of Japan on the state of play of the dialogue on data protection’ (2017)

<http://europa.eu/rapid/press-release_STATEMENT-17-1880_en.htm> (accessed 15 July 2019).

77_{Ian Lloyd, ‘IT law in the United Kingdom after Brexit’ (2017) 33 Computer Law and Security}

Review, p.186.

78

Institute for Government, ‘Data Adequacy’ (2018)

(26)

23 Uruguay and the USA as providing an adequate protection. The decisions on Canada and the USA are so called ‘partial’ adequacy decisions. For Canada this implies that the adequacy decision applies only to private entities within the scope of the Canadian Personal Information Protection and Electronic Documents Act. For the USA the partial adequacy decision relies to the fact that only companies committing to abide by the adequacy decision’s principles can benefit from free data transfers.79 Furthermore, next to the already granted adequacy decisions, there are ongoing adequacy talks conducted with South Korea.

5.2.2 Full Adequacy Decision

An adequacy decision was evaluated by the Lords Select Committee on the EU, which represents the UK’s House of Lords in its dealing with the EU, to be the least burdensome and most comprehensive platform for the transfer of personal data with the EU.80 Some commentators do, however, warn that simply adopting the GDPR by way of the Data Protection Act may not be sufficient for the UK to be granted an adequacy decision.81 In order to evaluate the possibilities of the European Commission declaring the UK DPA 2018 as adequate, it is necessary to apply Article 45(2) (a)-(c) of the GDPR to the situation of the UK:

(a) ‘The rule of law, respect for human rights and fundamental freedoms,

relevant legislation […], data protection rules, […], including rules for the onward transfer of personal data to another third country […], case law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for data subjects whose personal data are being transferred’:

Since the CJEU’s decision on the Safe Harbor Agreement between the EU and the USA, particular importance has been placed on the protection of the fundamental right to data protection as a precondition for a third country to fulfill the adequacy decision

79_{cf European Commission (n 72).} 80_{cf Woodhouse and Lang (n 67) p.3.}

81_{Elif Mendos Kuşkonmaz, ‘Brexit and Data Protection: The Tale of the Data Protection Bill and}

UK-EU Data Transfers’ (UK-EU Law Analysis Blog, 26 September 2017)

<http://eulawanalysis.blogspot.com/2017/09/brexit-and-data-protection-tale-of-data.html> (accessed 15 July 2019).

(27)

24 requirements.82 Looking at the situation of the UK, it becomes apparent that the UK intends to remove the CFR after leaving the EU.83 However, the UK’s Human Rights Act 1988 only contains the right for ‘respect of private and family life, home and

correspondence’ rather than a specific right to data protection (Schedule I Part 1

Human Rights Act 1988). Therefore, the UK’s DPA 2018 does not explicitly incorporate Article 8 of the CFR. The UK not explicitly recognizing the right to data protection that is central to the EU’s legislation, would cause a major derogation of the UK’s approach to data protection compared to that of the EU itself. Further, privacy leaders in the UK describe privacy protection in terms of consumer expectations and fairness, as well as risk management rather than as a fundamental right of UK citizens.84 Thus, it is questionable whether the UK’s legislation would still offer protection that is essentially equivalent to that of the GDPR.85 The UK would have to prove that its level of protection is adequate in practice to the status of Article 8 of the CFR.

Next, when looking at the data protection rules in the UK’s DPA 2018 compared to the GDPR, it becomes apparent that the UK follows a very similar approach with respect to onward data transfer and data subjects rights as the EU does (Schedule 6 DPA 2018). One major discrepancy is, however, the UK’s approach to national security. While the GDPR excludes national security from its scope, it is included in the UK DPA 2018 as an exemption, meaning that certain rights of data subjects can, according to the UK’s Act be excluded based on national security while this is not the case under the EU’s GDPR. This can be found in sections 26 and 110 of the DPA 2018. These articles grant the UK’s intelligence service large access to personal data in the name of national security consideration. It extends to an exemption from the data protection principles and data subject rights (Section 110(2) DPA 2018) and thus has a major impact on personal data. The problem of broad powers granted to national security agencies already arose in the EU-USA context. In the Schrems case, the CJEU considered that the USA’s national security agencies ease of access to personal data of EU citizens and took this aspect into consideration when deciding that the

82_{Paul-Jasper Dittrich, ‘To be or not to be adequate – a guide to Brexit and data flows’ (2018) Jacques}

Delors Institute Berlin Center for European Affairs at the Hertie School of Governance, p.7.

83_{Clause 5(4) of the Draft Withdrawal Agreement.} 84_{Bamberger and Mulligan (n 43) p.12.}

85

Joint Committee on Human Rights, ‘Legislative Scrutiny: The EU (Withdrawal) Bill: A Right by Right Analysis’ [2018] First Report of Session 2017-19, pp.11f.

(28)

25 adequacy decision has to be declared invalid.86 This clearly demonstrates that the EU does not tolerate too broad powers in the name of national security and it is thus questionable whether the UK can get away with these provisions in its data protection framework.

Another main concern under the heading of the UK’s data protection regime is the UK’s Data Retention and Investigatory Powers Act 2016 (hereafter: DRIPA 2016) because of the worry that the intelligence service has too broad surveillance powers. Particularly relevant is part 4 of the DRIPA 2016 which permits data retention orders to be issued by the Secretary of State. Section 87(1) permits the Secretary of State to require telecommunications operators to retain relevant communication data if the Secretary of State considers this necessary and proportionate for one of the purposes listed within subparagraphs (a) to (j) of Section 61(7). Furthermore, this decision by the Secretary of State has to be approved by a Judicial Commissioner (Section 87(1)(b) DRIPA 2016). The CJEU, in the Tele2 Sverige case, has already declared that the UK’s handling of personal data under this act is not in line with EU law.87 The court found a violation in particular with regard to the data retention and bulk data collection by intelligence services in the UK which contradicts the fundamental rights enshrined in the CFR because the UK intelligence service has broad authorizations to access email data, tap telephone conversations or break into social media accounts.88 In this case, the CJEU held that the objective pursued by the legislation in question has to be proportionate to the seriousness of the fundamental rights interference that access entails. In the area covered by the DRIPA 2016, meaning prevention, investigation, detection and prosecution of criminal offences, only the objective of fighting ‘serious crimes’ is capable of justifying the access to personal data.89 When looking at the purposes that the Secretary of State in the UK can use as a justification to require retention of data under section 61(7), it becomes apparent that not all of the listed subparagraphs meet the standards of fighting serious crimes set by the CJEU. The purposes of retaining communications data in the interest of national security (Section 67(7)(a) and (c) DRIPA 2016) or public safety (Section

86_{cf C-362/14 (n 70) para.90.}

87_{Case C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home}

Department v Tom Watson and Others [2016] ECLI:EU:C:2016:970 para.125.

88

ibid. paras.92-94 and 118-119.

(29)

26 67(7)(d) DRIPA 2016) might fulfill the standards the court laid down. However, purposes such as preventing crime (Section 67(7)(b) DRIPA 2016), protecting public health (Section 67(7)(e) DRIPA 2016), assessing any tax (Section 67(7)(f) DRIPA 2016) or exercising functions relating to financial stability (Section 67(7)(j) DRIPA 2016) do clearly not meet this standard and would thus constitute a violation of EU law. Consequently, these provisions may pose a problem in light of Article 8 of the CFR and the UK possibly does not fulfill the precondition of respecting the right to data protection of European citizens in order to be eligible for an adequacy decision. The last problem is a merely hypothetical one and surrounds the fact that the UK courts will no longer be bound by decisions taken by the CJEU post-Brexit. This might lead to discrepancies between the EU and the UK on future data protection changes and amendments made by the respective courts. Consequently, divergence of data protection laws between the UK and the EU might exist in the future. To remedy this situation, the UK would have to closely monitor data protection rule changes in the EU.

To conclude, there are generally four issues that may provide a problem for the UK to obtain an adequacy decision, being the removal of the CFR, the national security exception, certain provisions of the DRIPA 2016 as well as the exclusion of the CJEU’s jurisdiction. Next, it is necessary to analyze Article 45(2)(b) in order to assess whether further obstacles could arise for the UK.

(b) ‘the existence and effective functioning of one or more independent

supervisory authorities in the third country […], with responsibility of ensuring and enforcing compliance with the data protection rules, […]’:

The UK’s DPA 2018 provides in Article 114 the continuation of the existence and operation of an information commissioner. Thus, the UK has a well-respected and experienced data protection authority in place. Under part 5 of the DPA 2018, the information commissioner is vested with the relevant responsibilities of ensuring and enforcing compliance with data protection rules and co-operate internationally. Further, the UK had not made any derogations to the requirement for organizations to

(30)

27 have a Data Protection Officer (DPO) as stated in the GDPR.90 Consequently, this subparagraph does not constitute an obstacle for the UK in the process of possibly receiving an adequacy decision from the EU. Lastly, it remains necessary to consider the UK’s international commitments in the light of Article 45(2)(c).

(c) ‘the international commitments the third country […] had entered into, or

other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data’:

As long as the UK remains a Member State of the EU, the European Parliament and the Council had, in accordance with Article 16 TFEU, the power to law down rules relating to the protection of individuals with regard to personal data. Therefore, the UK has not entered into different international commitments relating to the protection of personal data than the EU. Post-Brexit, the UK will be excluded from the adequacy decision the EU has already concluded with third countries. It remains to be seen how the UK will deal with this situation and what kind of deal it will negotiate with third countries91 because the Draft Withdrawal Agreement is silent on this matter. Thus, if the UK does not negotiate anything with third countries in relation to the protection of personal data until it leaves the EU or until the end of the transition/implementation period, the UK will not have any international data protection commitments in place. Next to a full adequacy decision, the EU could grant a partial adequacy decision. There are two types of partial adequacy decisions that will be elaborated on in the following sections.

5.2.3 Canada Style Adequacy Decision

The adequacy decision applicable to Canada is a so-called partial adequacy decision because it is limited to apply to personal data transfers between entities that are clearly regulated by the Canadian data protection law, namely the Personal Information Protection and Electronic Documents Act (Article 1 Adequacy Decision).

90_{Penningtons Manches, ‘Untied with differences: Key GDPR derogations across Europe’ (2019)}

<https://www.penningtons.co.uk/news-publications/latest-news/2019/united-with-differences-key-gdpr-derogations-across-europe/> (accessed 15 July 2019).

91

Kurt Wimmer and Joseph Jones, ‘Brexit and Implications for Privacy’ (2017) 40:5 Fordham International Law Journal, pp.1559f.

(31)

28 Merely private organizations that use the data for commercial actives have free access to data of EU citizens. This rule excludes the Canadian government itself as well as non-profit organizations from using the free flow of data between the two territories as these are not covered under the Canadian law.

When applying this model to the situation of the UK, it becomes apparent that it is not a likely option. The UK data protection legislation does not merely cover a specific sector or group of entities but rather the whole data protection topic as such. However, it would remain a possibility to apply a sector-based partial adequacy decision to the UK in the form of excluding the free flow of data that would be covered under the DRIPA 2016 and to exclude the national security exemption from the scope of the adequacy decision. With this, two of the main problems under the full adequacy decision could be circumvented but it would, at the same time, still be of a broad sectoral application. Difficulties might however arise when data has to be rightfully classified as possibly falling under the relevant UK Acts which might include privacy concerns to personal data of European citizens.

5.2.4 Privacy Shield Style Adequacy Decision

The privacy shield between the USA and the EU allows the free transfer of data to certified companies in the US that abide by the privacy shield’s principles. This is due to the reason that the US does not have any generalized system of data protection legislation. Thus, it protects the rights of EU citizens whose personal data is transferred to the USA for commercial purposes. This framework furthermore requires an annual joint review by the USA and the EU to assess the application of the Privacy Shield and additionally, the European Commission reviews the Privacy Shield annually to determine whether the level of adequacy is still essentially equivalent to that of the EU.92 For American companies, the Privacy Shield entails that they have to self-certify that they meet its requirements once a year, that they display privacy policies on their website, reply immediately to complaints and cooperate and comply

92_{European Commission, ‘Commcercial Sector: EU-US Privacy Shield’}

<https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en> (accessed 15 July 2019).

Post-Brexit arrangements on data protection between the European Union and the United Kingdom : The relationship between data, data protection and trade and the impact Brexit has on future data protection arrangements b