On 24 February, the European Data Protection Supervisor (EDPS) published an opinion on the opening of negotiations for a new partnership with the UK in light of the beginning of future relationship negotiations. Throughout the report, the EDPS expresses its expectation of a continued close cooperation between the UK. The EDPS provides both recommendations for ensuring a close future partnership while warning of the obstacles that could inhibit a UK-EU adequacy agreement on post-Brexit data transfers.
As an independent institution of the EU, the EDPS aims to advise the Eu institutions on how to coherently and consistently apply the EU data protection principles, including when negotiating agreements with third countries. The EU will, therefore, be reliant on advisory papers such as this when going into negotiations with the UK.
The report asserts three key recommendations: (i) ensuring that the security and the economic partnerships are underpinned by similar commitments to respect fundamental rights including adequate protection of personal data; (ii) defining priorities where arrangements for international cooperation should be concluded in matters other than law enforcement, in particular for the cooperation between public authorities, including Union institutions, bodies, offices and agencies and (iii) assessing the issue of onward transfers of personal data, in light of the Opinion 1/15 of the CJEU both for the economic and the security partnerships.
Of perhaps more importance than the recommendations, however, are the conclusions drawn by EDPS chief Wojciech Wiewiórowski, regarding adequacy decisions. The EDPS does not mince its words in recommending that ‘the [EU] take steps to prepare for all eventualities, including where the adequacy decision(s) could not be adopted within the transition period, where not adequacy decision would be adopted at all, or where it would be adopted only in relation to some areas’. More simply, Wiewiórowski says that the EU should be prepared to accept that an adequacy agreement before the end of 2020 may not be possible.
A disruption to data transfers between the EU and UK would create significant disruption to businesses of all sizes. Whether or not the UK chooses to continue to follow the GDPR, GDPR will stand in the EU and businesses operating in the EU must follow its regulations. The UK has already found its Google users’ data transferred to the U.S. and subject to American legislation. Trade negotiations should be closely monitored between the UK and EU as well as UK and U.S. as regards usage of data.