What the Brexit trade agreement says about data protection, privacy and cybersecurity

We now have a trade agreement in place in time for the end of the Brexit transition period tonight. But what does the document say about data protection, privacy and cybersecurity? PrivSec Report pulls out the key points.

 

DATA PROTECTION AND PRIVACY

The agreement makes it clear that as a general principle nothing in the agreement’s section on regulatory practice should “affect the right of a party to define or regulate its own levels of protection in pursuit or furtherance of its public policy objectives” in areas including data protection and cyber security. This spells out the UK is able to diverge from the EU’s policies in these areas.

The most pressing concern was what was going to happen regarding the transfer of personal data from the European Union to the UK after 31 December,.

To the relief of many, the trade agreement allows personal data to flow freely from the EU to the UK until adequacy decisions have been adopted, for a period of no more than six months. This effectively means that transfers of personal data to the UK would not be considered transfers to a third country and as such, would not be prohibited by the GDPR.

The purpose of this additional six months is to give the European Commission time to assess the adequacy of the UK’s data protection laws.

As PrivSec Report has already reported, this was instantly welcomed by the Information Commissioner’s Office (ICO).

The agreement’s provisions to promote digital trade also prohibit requirements to store or process data in certain countries.

A summary to the agreement says: “This is the first time the EU has agreed provisions on data in a free trade agreement. The provision helps to facilitate the cross-border flow of data by prohibiting requirements to store or process data in a certain location. This prevents the imposition of costly requirements for British businesses”

The section on cross-border data flows in the digital trade section is here:

 

Article DIGIT.6 Cross-border data flows

  1. The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital

economy. To that end, cross-border data flows shall not be restricted between the Parties by a Party:

(a) requiring the use of computing facilities or network elements in the Party’s territory for

processing, including by imposing the use of computing facilities or network elements that are

certified or approved in the territory of a Party;

(b) requiring the localisation of data in the Party’s territory for storage or processing;

(c) prohibiting the storage or processing in the territory of the other Party; or

(d) making the cross-border transfer of data contingent upon use of computing facilities or network

elements in the Parties’ territory or upon localisation requirements in the Parties’ territory.

  1. The Parties shall keep the implementation of this provision under review and assess its

functioning within three years of the date of entry into force of this Agreement. A Party may at any

time propose to the other Party to review the list of restrictions listed in paragraph 1. Such a request

shall be accorded sympathetic consideration.

Article DIGIT.7 Protection of personal data and privacy

  1. Each Party recognises that individuals have a right to the protection of personal data and

privacy and that high standards in this regard contribute to trust in the digital economy and to the

development of trade.

  1. Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on

the protection of personal data and privacy, including with respect to cross-border data transfers,

provided that the law of the Party provides for instruments enabling transfers under conditions of

general application34 for the protection of the data transferred.

  1. Each Party shall inform the other Party about any measure referred to in paragraph 2 that it

adopts or maintains.

 

CYBERSECURITY

The agreement commits the EU and UK to establishing regular dialogue on cybersecurity issues, to share information across a range of areas and to co-operate with international bodies.

It also paves the way for the UK to participate in the EU Agency for Cybersecurity’s work on capacity building, knowledge and information and awareness raising and education.

The most relevant sections of the agreement are here:

 

Title II: Cyber security

Article CYB.1: Dialogue on cyber issues

The Parties shall endeavour to establish a regular dialogue in order to exchange information about

relevant policy developments, including in relation to international security, security of emerging

technologies, internet governance, cybersecurity, cyber defence and cybercrime.

Article CYB.2: Cooperation on cyber issues

  1. Where in their mutual interest, the Parties shall cooperate in the field of cyber issues by

sharing best practices and through cooperative practical actions aimed at promoting and protecting

an open, free, stable, peaceful and secure cyberspace based on the application of existing

international law and norms for responsible State behaviour and regional cyber confidence-building

measures.

  1. The Parties shall also endeavour to cooperate in relevant international bodies and forums,

and endeavour to strengthen global cyber resilience and enhance the ability of third countries to

fight cybercrime effectively.

Article CYB.3: Cooperation with the Computer Emergency Response Team – European Union

Subject to prior approval by the Steering Board of the Computer Emergency Response Team –

European Union (CERT-EU), CERT-EU and the national UK computer emergency response team shall

cooperate on a voluntary, timely and reciprocal basis to exchange information on tools and

methods, such as techniques, tactics, procedures and best practices, and on general threats and

vulnerabilities.

371

Article CYB.4: Participation in specific activities of the Cooperation Group established pursuant to

Directive (EU) 2016/1148

  1. With a view to promoting cooperation on cyber security while ensuring the autonomy of the

Union decision-making process, the relevant national authorities of the United Kingdom may

participate at the invitation, which the United Kingdom may also request, of the Chair of the

Cooperation Group in consultation with the Commission, in the following activities of the

Cooperation Group:

(a) exchanging best practices in building capacity to ensure the security of network and

information systems;

(b) exchanging information with regard to exercises relating to the security of network and

information systems;

(c) exchanging information, experiences and best practices on risks and incidents;

(d) exchanging information and best practices on awareness-raising, education programmes and

training; and

(e) exchanging information and best practices on research and development relating to the

security of network and information systems.

  1. Any exchange of information, experiences or best practices between the Cooperation Group

and the relevant national authorities of the United Kingdom shall be voluntary and, where

appropriate, reciprocal.

Article CYB.5: Cooperation with the EU Agency for Cybersecurity (ENISA)

  1. With a view to promoting cooperation on cyber security while ensuring the autonomy of the

Union decision-making process, the United Kingdom may participate at the invitation, which the

United Kingdom may also request, of the Management Board of the EU Cybersecurity Agency

(ENISA), in the following activities carried out by ENISA:

(a) capacity building;

(b) knowledge and information; and

(c) awareness raising and education.

  1. The conditions for the participation of the United Kingdom in ENISA’s activities referred to in

paragraph 1, including an appropriate financial contribution, shall be set out in working

arrangements adopted by the Management Board of ENISA subject to prior approval by the

Commission and agreed with the United Kingdom.

  1. The exchange of information, experiences and best practices between ENISA and the United

Kingdom shall be voluntary and, where appropriate, reciprocal.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.