EU and UK conclude Free Trade Agreement which includes data protection provisions

On 24 December, European Commission President, Ursula von der Leyen, and UK Prime Minister, Boris Johnson, announced that the EU and UK sides had reached consensus on a Free Trade Agreement which provides a path to continuity after the end of the Transition Period on 31 December 2020.

Johnson, in his 34 page summary of the agreement, declared: "The Agreement is based on international law, not EU law. There is no role for the European Court of Justice and no requirements for the UK to continue following EU law.”

Von der Leyen commented: "It was a long and winding road. But we have got a good deal to show for it. It is fair, it is a balanced deal, and it is the right and responsible thing to do for both sides.”

Data protection provisions

The main points regarding data protection law are in the Cooperation Agreement Title III – Digital Trade and are as follows:

  1. Each party has the right “to achieve legitimate policy objectives” including “privacy and data protection”. [DIGIT.3 Right to regulate p.116]
  2. "The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy” and therefore will not require localisation of data storage or processing. [Chapter 2 Data flows and personal data protection Article DIGIT 6.1 Cross-border data flows p.118]
  3. The parties will review these provisions within three years of this Agreement entering into force. [Chapter 2 Data flows and personal data protection Article DIGIT 6.2 Cross-border data flows p.118]
  4. “Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade.” But there is a provision covering unspecified exceptions. [Article DIGIT.7 Protection of personal data and privacy p.118]
  5. In a separate Declarations document, there is a statement that the EU will review the ”adequacy” of  the UK’s data protection laws from the perspective of the EU’s General Data Protection Regulation and the Law Enforcement Directive. The European Commission will “work closely to that end with the other bodies and institutions involved in the relevant decision-making procedure.” [p.25]
  6. The UK has already declared the GDPR to be “adequate” from its perspective.