The agreement reached at the end of 2020 between the EU and the UK to frame their new relationship resolves many outstanding issues regarding digital policy and cybersecurity. However, we will have to wait a little longer to find out how data transfers between the two parties will be regulated.
The Trade and Cooperation Agreement provides that the status quo continues to apply temporarily for data transfer and data protection. For a maximum of 6 months, the United Kingdom will remain subject to the General Data Protection Regulations (2016/679) and the Police and Criminal Justice Directive (2016/680), as well as the case law of the Court of Justice of the European Union.
This period should allow the European Commission to negotiate legally robust adequacy measures with the UK in order to avoid the same scenario as the Safe Harbour and Privacy Shield provisions with the US. The text provides that the status quo will end as soon as adequacy is granted or after a period of four months, which may be extended for a further two months.
According to Thomas Boué, Director of Government Relations at the Business Software Alliance (BSA), this transitional agreement can be explained by two elements on which sustainable solutions are needed. The first relates to the rules applicable in the United Kingdom in the field of national security, in particular the law governing investigative powers, which was found incompatible with European law by the Court of Justice of the European Union at the end of 2020 (see EUROPE 12575/13). The second is linked to the United Kingdom’s desire to become a hub for international transfers and to sign adequacy decisions with other non-Member States.
Data transferred from the EU to the UK could very well be transferred back from the UK to a non-Member State (onward transfers). “Data transfers are essential for companies of all sizes to operate, innovate and create jobs in all sectors of the economy, from industry to agriculture, from local start-ups to service providers. It is vital for both economies to ensure that data continues to flow safely and securely between the EU and the UK”, argues Thomas Boué.
The European Commission recalls that it has been working on these adequacy decisions since March 2020. After their publication, these decisions will have to be adopted by the Member States under a comitology procedure, following an opinion of the European Data Protection Board (EDPS).
In July 2018, the EU and Japan concluded an agreement on the transfer of personal data (see EUROPE 12064/2), alongside the signing of the bilateral free trade agreement.
Geo-blocking and Cybersecurity
However, the new relationship between the EU and the UK is already effective in other areas. In digital terms, this means, for example, that the regulation on the portability of online content (2017/1128) ceases to apply in the United Kingdom. This means, for example, that the British operator Sky no longer offers its products to Brits travelling within the EU.
With regard to cybersecurity, the Trade and Cooperation Agreement reintegrates the UK into the work of the EU to a limited extent, including participation in some of the work of the European Union Agency for Cybersecurity (ENISA), such as capacity building. The text also provides for regular dialogue and cooperation on an international level, as well as specific sharing of experience between the two parties.
Read the Trade and Cooperation Agreement between the EU and the United Kingdom: https://bit.ly/3s3wH1R (Original version in French by Sophie Petitjean)