Data protection is non-negotiable in international trade agreements
The EDPS published today his Opinion on two proposed agreements between the European Union (EU) and the United Kingdom (UK): the Trade and Cooperation Agreement (TCA) and an agreement on the security procedures for exchanging and protecting classified information.
Given the close cooperation that is expected to continue between the EU and the UK, the EDPS welcomes these two agreements. In particular, the EDPS notes that the TCA is based on respecting and safeguarding human rights and the parties’ commitment to ensure a high level of protection of personal data.
Nevertheless, the EDPS regrets that the TCA fails to faithfully take over the EU’s horizontal provisions for cross-border data flows and for personal data protection. Such provisions, which the European Commission has repeatedly stated as non-negotiable, allow the EU to include measures to facilitate cross-border data flows in trade agreements while preserving individuals’ fundamental rights to data protection and privacy. Thus, in amending these horizontal provisions, the TCA creates legal uncertainty about the EU’s position on the protection of personal data in the context of trade agreements and risks creating friction with the EU data protection legal framework.
Wojciech Wiewiórowski, EDPS, said: “The wording agreed with the UK on data protection and privacy must remain an exception. We strongly recommend that the European Commission reiterates its commitment to the horizontal provisions as the only basis for a future trade agreement with other non-EU countries and that personal data protection and privacy rights will not be up for negotiation.”
The EDPS also makes remarks on the EU-UK law enforcement and judicial cooperation in criminal matters. While welcoming the data protection safeguards introduced in the TCA, the EDPS regrets that certain safeguards are missing and comments in particular the provisions on PNR and Prüm.
In addition, the EDPS highlights that the interim provision which allows transfers of personal data between the EU and the UK without procedural safeguards - as though the UK was still a member of the EU - should remain exceptional and not set a precedent for future TCAs with other non-EU countries.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
Processing of personal data: according to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
“EU horizontal provisions on Cross-border data flows and protection of personal data and privacy in the Digital Trade Title of EU trade agreements”: endorsed by the European Commission in 2018, these horizontal provisions allow the EU to include measures to facilitate cross-border data flows in trade agreements while fully preserving individuals’ fundamental rights to data protection and privacy. The horizontal provisions reach a balanced compromise between public and private interests as they allow the EU to tackle protectionist practices in third countries in relation to digital trade while ensuring that trade agreements cannot be used to challenge the high level of protection guaranteed by the EU Charter of Fundamental Rights and the EU legislation on the protection of personal data.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725 which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.
The EDPS opinions are published on our website, and later on, in the Official Journal of the EU, and officially transmitted to the European Parliament, the Council and the Commission.
The EDPS also has the power to issue opinions on any issue of relevance to the protection of personal data, addressed to the EU legislator or to the general public, in response to a consultation by another institution or on his own initiative.