All of the different types of biobank structures in the UK have been and will continue to be affected by Brexit, but in different ways. Smaller biobanks that collect, process or share data solely within the UK are affected less, although the applicable law will change. Larger, networked, UK-based biobanks that share data outward to the EU and other countries, and those which receive inward coming data from the EU and other countries are affected more, because pre-Brexit and pre-transition the basis on which the lawfulness of data protection in those transactions is secured is the UK’s membership of the EU and the Withdrawal Agreement. Some biobanks, for instance, commercial operators, may be able to circumvent the inconvenience of Brexit, and continue to operate as before within the EU, by incorporating in an EU Member State. This approach is not open to university-based or governmental/institutional UK biobanks. Those biobanks that rely on EU networks and funding may find that they are totally excluded from such access, depending on the form that the future EU-UK trade relationship takes.
We now focus on the legal position for UK data protection law, as it applies in biobanking contexts, post-Brexit. In the run up to 29 March 2019, the UK government issued several guidance notes and other policy documents giving advice about the post-Brexit legal position. Some of this guidance is relevant to the GDPR and biobanking. Of course, however, the views of the government, even expressed in formal guidance notes, do not have the force of ‘hard’ law. The section therefore outlines the position under the only relevant primary UK legislation currently enacted at the time of writing: the EU (Withdrawal) Act 2018, and under relevant secondary (delegated) legislation in the form of statutory instruments. These latter are executive acts with the full force of law in the UK.Footnote 88 These provisions apply whatever the form of Brexit, and do not distinguish between the position under the Withdrawal Agreement and that in a ‘No Deal’ situation (which did not, in the end, occur).
We then consider the legal position under each of the possible forms of Brexit discussed in this chapter: under the EU-UK Withdrawal Agreement, and what the position would have been in the event of a No Deal Brexit. We have retained the latter analysis to illustrate both the complexities of Brexit and the position should the EU and UK be unable to agree a trade agreement by the end of December 2020. When we originally wrote this chapter, we did not know how the UK would implement its obligations under the Withdrawal Agreement, so that analysis is by definition more conjectural.
4.1 Domestic Legislation, Statutory Instruments, ‘Soft Law’, Guidance
4.1.1 Soft Law and Guidance on Data Protection Post-Brexit
In December 2018, the UK government issued a technical note giving guidance on data protection post-Brexit. That guidance was withdrawn on 1 March 2019,Footnote 89 and replaced with revised guidance adopted on 6 February 2019.Footnote 90 It complements guidance from the ICOFootnote 91 on the future data protection regime in case of a No Deal Brexit, which remains in place. The guidance applies to all organisations to which the GDPR applies, so it applies to UK biobanks.
4.1.2 Data Protection Under the EU (Withdrawal) Act 2018
As ‘retained EU law’, the GDPR is in principle part of UK law on Exit Day, under the terms of the EU (Withdrawal) Act 2018.
However, the GDPR (as a source of ‘retained EU law’) will be subject to future amendments made by the UK legislator. Any such amendments are legally authorised on the basis of powers set out in the EU (Withdrawal) Act 2018, the Data Protection Act 2018, and the European Communities Act 1972. These powers allow the UK government to act unilaterally to remedy any ‘deficiencies’ in ‘retained EU law’. These amendments will take effect through secondary legislation: the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019,Footnote 92 and any subsequent secondary legislation. The EU (Withdrawal) Act 2018 makes no provision for UK compliance with the Withdrawal Agreement (see further below in Sect. 4.2.3).
4.1.3 The Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019
The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019Footnote 93 (hereafter, ‘the EU Exit Regulations’) amend various parts of legislation to take account of the UK leaving the EU. They came into force on Exit Day. In summary, the Regulations amend the Data Protection Act 2018, the GDPR as ‘retained EU law’ (known in the Regulations as ‘the UK GDPR’), and merge provisions of the two.Footnote 94 Schedule 1 lists the amendments to the UK GDPR, while schedule 2 deals with the amendments to the Data Protection Act 2018. Schedule 3 deals with consequential amendments to other legislation, and schedule 4 addresses amendments consequential on provisions of the 2018 Act.
The UK government claimsFootnote 95 that the majority of the changes to the existing law involve removing references to EU institutions and procedures that will not be directly relevant when the UK is outside the EU. This is accurate. Many changes, for instance, simply change ‘the Union’ or ‘a Member State’ for ‘the UK’; or ‘the competent authority’ for ‘the Commissioner’, that is, the Information Commissioner as referred to in the Data Protection Act, section 114 and schedule 12.
However, the EU Exit Regulations do make some changes to the legal position beyond removing references to the EU and its institutions and procedures. The key changes of relevance or potential relevance to biobanking are as follows:
Standard data protection contractual clauses
Information exchange and cooperation
Removal of procedural and remedial safeguards
General principles of EU law.
184.108.40.206 (a) Adequacy Decisions
The EU Exit Regulations add new sections 17A and 17B, and 74A to the Data Protection Act 2018. These give the Secretary of State power to adopt adequacy decisions by regulations, and oblige the Secretary of State to keep such decisions under periodic review. An adequacy decision may be taken in respect of a third country (which in this context, contrary to its meaning in EU and international law, means a country outside of the UKFootnote 96); a territory or one or more sectors within a third country; an international organisation (such as the EU); or a description of such a country, territory, sector or organisation. Transfer of personal data from the UK to such a country, territory, sector or organisation would not be lawful in the absence of an adequacy decision, or other basis for lawful transfer, such as ‘special circumstances’, or ‘standard data protection clauses’ (see below in Sect. 4.3.2).
When assessing the adequacy of protection in a third state or international organisation, the Secretary of State must take into account a list of factors outlined in new section 74A of the Data Protection Act. These repeat verbatim the matters that the European Commission should take into account when assessing adequacy, as provided in Article 45 (2) GDPR. Briefly, these include:
(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country … including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States;
and (c) the international commitments the third country … has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems…
The Secretary of State must monitor developments in such third countries, sectors etc, and amend or revoke adequacy decisions accordingly, having given the country etc the opportunity to remedy any lack of protection. In addition, each adequacy decision must be reviewed at least once every 4 years.Footnote 97
The UK government’s guidance explains that the UK ‘will transitionally recognise all EEA countries (including EU Member States) and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue,’ and ‘preserve the effect of existing EU adequacy decisions’, including the EU-US Privacy Shield, on a transitional basis.Footnote 98 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2), Regulations 2019, schedule 2, article 102, inserting a new Schedule 21 into the UK GDPR provides that all EEA states (which of course include all EU27 Member States), Gibraltar, EU and EEA institutions, and all the third countries, territories, sectors or international organisations which the EU recognises with adequacy clauses (Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Faroe Isles, Andorra, Israel, Uruguay, New Zealand, and the USA) are regarded as countries etc which the UK recognises as having an adequate level of protection for personal data transferred from the UK into that country. In the context of biobanking this means that it will be lawful for biobanks in the UK to continue to conduct data transfers of UK citizens’ data, and other data they hold, to organisations based in all of these places.
Obviously the UK’s EU Exit Regulations can make no provision for the transfer of personal data into the UK from another country. Non-EU countries will each need to decide how to treat the UK as a non-EU Member State, when, up to the end of the transition period they have been recognising the UK’s treatment of personal data as adequate because the UK is an EU Member State. It was reported in April 2019 that some countries have indicated that they will continue to allow free data flow into the UK, even in the event of a No Deal Brexit.Footnote 99 This might be the case also in the event of a failure to agree an EU-UK trade agreement. These countries include Switzerland, Israel, and the USA. The legal nature of these permissions is domestic law within each third country.
Transfer of personal data from EU Member States into the UK post Brexit remains subject to EU law. In the absence of any other provision being in place (but see further below Sects. 4.2.1 and 4.3.1), the UK is treated as a ‘third country’ in the terms of the GDPR. This will mean that transfer of data to biobanks in the UK is unlawful, unless there is a lawful basis for that transfer as provided for under the GDPR. At present, there is no agreement on how the UK and EU are to treat each other’s assessments of adequacy. The biobanking sector, like many (or possibly all) other sectors which rely on sharing of data across borders, have noted that it would be beneficial if some agreement was reached that would allow for mutual recognition. This will be easier to achieve because Brexit took place under the Withdrawal Agreement, as opposed to on a ‘No Deal’ basis (see further below section 4.2).
220.127.116.11 (b) Standard Data Protection Contractual Clauses and Binding Corporate Rules
Approach to Standard Data Protection Contractual Clauses and Binding Corporate Rules
The EU Exit Regulations 2019 purport to offer some level of legal continuity, as they amend the Data Protection Act to provide that standard contractual clauses and binding corporate rules that are authorised before Exit Day will remain valid.Footnote 100 UK-based biobanks which currently transfer UK citizens’ data, and other data they hold, to organisations based in other countries, on the basis of standard data protection contractual clauses or binding corporate rules, will be able to continue to do so after Exit Day. Post-Brexit, standard contractual clauses become known as ‘standard data protection clauses’ in UK law.Footnote 101 The EU Exit Regulations also empower the Information Commissioner to withdraw authorisation for binding corporate rules.Footnote 102
Schedule 2 of the EU Exit Regulations adds new sections 17C and 119A to the Data Protection Act. These provisions address standard data protection clauses. Such clauses are those which the Secretary of State considers provide appropriate safeguards for transfers of data to a third country or international organisation, in accordance with new sections 17A and 17B. Schedule 3 of the Regulations revokes existing EU law (that otherwise would become retained EU law) which provides for standard contractual clauses.Footnote 103 To replace this, the Information Commissioner is empowered, in consultation with the Secretary of State, and any other stakeholders the Commissioner considers appropriate,Footnote 104 to specify ‘standard data protection clauses’ which are sufficient to provide adequate safeguards for the purposes of transfer of data to a third country or international organisation,Footnote 105 and also to amend or withdraw such standard clauses.Footnote 106 In effect, standard contractual clauses become standard data protection clauses in the Regulations. Documents issued by the Commissioner specifying standard data protection clauses are subject to a negative Parliamentary assent procedure.Footnote 107 For UK-based biobanks wishing to continue to conduct data transfers of UK citizens’ data, and other data they hold, to organisations based in other countries, standard data protection contractual clauses are a potential basis for lawful transfer of data post-transition.
Again, as with adequacy decisions, the UK’s EU Exit Regulations can make no provision for the post-transition transfer of data from EU-based entities, or those based in other countries, to UK-based biobanks. There is (as yet) no agreement on coordination or mutual recognition of such clauses between the UK and the EU, and in any event the nature of these clauses is currently the subject of litigation before the CJEU (see further below, Sect. 4.3.1).Footnote 108 Despite this, the ICO has produced an interactive tool for businesses to deal with standard contractual clauses if the UK does leave the EU without a deal.Footnote 109 The ICO recommends that organisations that need ‘to maintain the free flow of personal data into the UK from Europe, in the event the UK exits the EU without a deal… should consider using standard contract clauses’.Footnote 110 But the ICO can only account for movement of data out of the UK, not into the UK. To write of ‘free flow’ of data, as the ICO’s recommendations do, is to misrepresent the formal legal position. It is not yet clear what the EU’s position will be on data transfer into the UK from the EU following a the failure to agree a trade agreement at the end of transition (see further below in Sect. 4.3.1).
18.104.22.168 (c) Information Exchange and Cooperation
The EU Exit Regulations remove all obligations on the UK, or entities within the UK, to cooperate within the structures of the EU, or to exchange information with the European Commission. Instead, the Regulations envisage that the Council of Europe’s Data Protection ConventionFootnote 111 (which the UK has signed and ratified) will be the basis of interstate data protection cooperation post transition, through the Convention’s obligations to designate one or more authorities to furnish information to authorities in other states on law and administrative practice in data protection.Footnote 112 This Convention is the first binding international instrument on individual personal data protection. It seeks to prohibit abuses that may arise when personal data is collected or processed, to ensure that sensitive data (such as concerning health) is subject to legal safeguards, to secure a ‘right to know’ what information is held, and to regulate the flow of personal data across borders. The UK’s data protection law secures compliance with these international obligations. The Data Protection Convention will thus have increased significance to the UK’s data protection framework post-Brexit, where there continues to be uncertainty about how the EU will treat the UK for data protection purposes post-transition. This will depend on the type of Brexit (see further below), and what the EU and the UK eventually agree in terms of future EU-UK relationships.
22.214.171.124 (d) Procedural and Remedial Safeguards
The EU Exit Regulations remove the obligation to the effect that the authority that supervises the application of the GDPR (in the UK, the Information Commissioner) must, when imposing administrative fines, comply with national and EU law on procedural safeguards, including effective judicial remedy and process.Footnote 113 Instead, section 115 (9) of the Data Protection Act makes provision about the exercise of the Commissioner’s functions when imposing administrative fines. The right to an effective remedy and other general principles of EU law concerning due process are an important feature of EU law in various contexts, including data protection. Essentially driven by the CJEU, these principles have formed an important part of the development of EU data protection law, which includes the entitlement of data subjects to secure effective remedies for breach, part of the overall compliance and sanctions regime under the GDPR.
The Data Protection Act, section 115 (9), as amended, provides that the Commissioner may only exercise its powers to issue administrative fines by giving a penalty notice, as provided for in section 155, having determined that a person has failed, in the sense prescribed in section 149, to comply with provisions of the GDPR. The pre-Brexit position was that this form of implementation is—at least in theory—subject to scrutiny for compliance with general principles of EU law. Post-transition, this layer of scrutiny is removed. However, of course, the UK will retain its obligations to due process under the ECHR, such as a right to a fair hearing.
126.96.36.199 (e) General Principles of EU Law
The EU Exit Regulations exclude from application any case law or general principles of EU law not relevant to the GDPR, or chapter 2 or Parts 5–7 of the Data Protection Act.Footnote 114 These are the parts of the existing law concerning interpretation of the applicable legal provisions. The change made by the EU Exit Regulations means, for instance, that future CJEU interpretations of broader principles of EU law, such as under the EU CFR, and in Mangold-type cases,Footnote 115 will not apply in the UK as retained EU law. This is consistent with the amendment to the Data Protection Act, section 205, which provides that references in that Act to a ‘fundamental right or fundamental freedom’ are only to such fundamental rights and freedoms which continue to form part of UK domestic law after Exit Day. The European Union (Withdrawal) Act, section 4, provides that EU law rights, obligations, or remedies that come from the CJEU’s jurisprudence continue to be part of ‘retained EU law’, only if they are recognised as such in a case decided by the CJEU before Exit Day. The intention seems to be to sever the way that relevant law in the UK is interpreted from how those interpretations develop in the EU, following Exit Day, and to do so irrespective of whether the Withdrawal Agreement—which provides in its Article 131 that the CJEU’s jurisdiction continues in the UK during transition—is agreed or not. The implications of this are difficult to ascertain. During transition, the European Union (Withdrawal Agreement) Act 2020 ‘switches back on’ the European Communities Act 1972, to the effect that EU law (including judgments of the CJEU) continues to apply to and within the UK until the end of December 2020. However, after that, the European Union (Withdrawal) Act, section 4, provides that EU law rights, obligations, or remedies that come from the CJEU’s jurisprudence continue to be part of ‘retained EU law’, only if they are recognised as such in a case decided by the CJEU before Exit Day (not the end of transition). The intention seems to be to sever the way that relevant law in the UK is interpreted from how those interpretations develop in the EU, following Exit Day, and to do so despite the fact that the Withdrawal Agreement provides in its Article 131 that the CJEU’s jurisdiction continues in the UK during transition. Questions about the significance of this legislation go to questions of future regulatory alignment between the UK and the EU, which itself will then affect the extent to which the EU is able to recognise the UK’s regulatory environment as embodying an adequate protection for data, including the kinds of health-related data that biobanks process. These matters are discussed further in Sect. 4.2 below.
4.2 The EU-UK Withdrawal Agreement and Biobanking
4.2.1 Data Protection Law Under the Withdrawal Agreement
We note at the start of this section that aspects of the Withdrawal Agreement’s text on data protection are difficult to interpret.Footnote 116 Of course, as the Withdrawal Agreement has only recently entered into force, there are no binding judicial rulings on the meaning of its text. The underlying aim of the Withdrawal Agreement is to ensure an orderly withdrawal of the UK from the EU, and to avoid disruption during the transition period by ensuring that EU law applies to and in the UK during that period.Footnote 117 The Withdrawal Agreement’s provisions should thus be interpreted with that aimed-for continuity in mind.
In general, the Withdrawal Agreement provides that the UK is to be treated as a Member State of the EU during the transition period.Footnote 118 So, in general, EU law continues to apply to and in the UK, as if the UK were still a Member State, from Exit Day until the end of transition.Footnote 119 Thus, the GDPR continues to apply in and to the UK during that period. Biobanks in the UK will continue to be required to comply with the GDPR. The Withdrawal Agreement also provides that references to competent authorities of Member States in provisions of EU law made applicable by the Withdrawal Agreement are to include UK competent authorities.Footnote 120 This means that, until the end December 2020, the UK’s ICO continues to be recognised as an institution of a Member State, even though the UK is no longer a Member State of the EU.
However, this continuity rule applies only ‘unless otherwise provided’ in the Withdrawal Agreement.Footnote 121 One of the key exclusions concerns the UK’s participation in EU institutions, and in decision-making and governance of the bodies, offices and agencies of the Union. The UK will no longer participates in such entities.Footnote 122 The European Data Protection Board, established under the GDPR,Footnote 123 is (presumablyFootnote 124) a ‘body’ of the Union for these purposes. The Withdrawal Agreement makes no explicit provision for the UK’s continued participation in the European Data Protection Board or its information sharing systems. The precise modalities of the situation where the UK Information Commissioner is excluded from the European Data Protection Board, but the ICO is still recognised as a competent national authority under the GDPR, are far from clear. This may have practical implications for UK-based biobanks, for instance seeking to rely on the European Data Protection Board’s guidance on the ‘one stop shop’ principle, in terms of which national supervisory authority should be the lead supervisory authority after Exit day and during transition. Biobanks which operate across the EU and the UK may find themselves subject to parallel proceedings.Footnote 125
The Withdrawal Agreement has a separate title (Title VII) on data processing. It covers ‘Union law on the protection of personal data’, which includes the GDPR,Footnote 126 but excludes the GDPR’s Chapter VII, which covers cooperation between supervisory authorities in the EU, consistency, dispute resolution and the European Data Protection Board. Title VII of the Withdrawal Agreement also includes ‘any other provisions of Union law governing the protection of personal data’.Footnote 127 Other relevant provisions of Union law include the EU CFR, and ‘general principles’ of EU law, both of which include the right to protection of personal dataFootnote 128 and the right to privacy.Footnote 129 There is an unresolved question here about whether the EU Exit Regulations’ exclusion of general principles of EU law ‘not relevant to’ the GDPR as it applied immediately before Exit DayFootnote 130 is compliant with the UK’s obligations under the Withdrawal Agreement.
Title VII consists of just four provisions, two of which are not relevant to biobanking.Footnote 131 The remaining two provisions have the following implications.
The Withdrawal Agreement, Article 71 provides
Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of the personal data of data subjects outside the United Kingdom, provided that the personal data:
were processed under Union law in the United Kingdom before the end of the transition period; or
are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.
It is very difficult to make sense of this provision. If the UK is to be treated as if it were a Member State of the EU during the transition period,Footnote 132 and if EU law continues to apply to and in the UK during that time,Footnote 133 the GDPR continues to apply as pre-Brexit. Processing in the UK during transition (or afterwards, on the basis of the Agreement, for instance, in the case of coordination of social security entitlements of migrants) of personal data of data subjects in a Member State (‘data subjects outside the United Kingdom’) is protected under the GDPR and its coordination arrangements, as pre-Brexit. One way to make sense of this provision, therefore, is that it is an exception to the general rules in the Withdrawal Agreement. For the purposes of transfer of data of a data subject in an EU Member State from that EU Member State to the UK for processing, during transition, the UK is not to be treated as if it were a Member State, and the GDPR does not apply. But if this is the intention of the provision, its drafting is far from clear.
Article 71 covers only personal data of data subjects outside the UK processed or obtained before the end of the transition period, or on the basis of the Withdrawal Agreement. In effect, it operates as if it were an adequacy decision. It does not cover personal data of data subjects within the UK. The majority of data held by UK-based biobanks is personal data of UK-based data subjects. But, especially given the way in which biobanks are networked, some of their data is personal data of data subjects outside the UK. If this interpretation is correct, the law applicable to UK-based biobanks would differ, depending on the source of the personal data. This would potentially create difficult—or even impossible—situations for UK-based biobanks in terms of data processing, depending on the extent to which UK data protection law diverges from EU data protection law. We noted some possible places of divergence in Sect. 4.1.3 above.
Article 71 (2) provides that paragraph 1 does not apply in the event that the European Commission adopts an adequacy decision under GDPR, Article 45. There is even provision in the Withdrawal Agreement for the withdrawal of an adequacy decision during the transitional period. In that event, Article 71 (3) of the Withdrawal Agreement provides that ‘to the extent that a decision referred to in paragraph 2 has ceased to be applicable’, the UK is obliged to ensure a level of protection of personal data that is ‘essentially equivalent’ to that in EU law.
Under the Withdrawal Agreement, Article 73, the EU is obliged to continue to treat data obtained from the UK before the end of transition, or after the end of transition on the basis of the Withdrawal Agreement, the same as data obtained from an EU Member State, or rather, not to treat it differently ‘on the sole ground of the UK having withdrawn from the Union’.Footnote 134 This drafting is unfortunate, given that the text of the GDPR contemplates only two categories of states: EU Member States and ‘third countries’. It is possible that the Withdrawal Agreement’s effect, combined with the GDPR rules on ‘third countries’ is that some kind of provision for data transfer into the EU from the UK is necessary during the transition period—be that an adequacy decision, appropriate safeguard, or special circumstances. But the political declaration on the future relationship between the EU and the UK indicates that the EU intends to begin the process of adopting an adequacy decision as soon as possible after Exit Day, so as to have such a decision in place by the end of transition. Given that, the better interpretation of the Withdrawal Agreement is intention to continue the current legal position between Exit Day and December 2020 (or the end of transition if a different date).Footnote 135
4.2.2 Other Law Relevant to Biobanking Under the Withdrawal Agreement
Other aspects of the Withdrawal Agreement will also be significant for biobanking. We noted above that the UK participates in the EU-funded BBMRI-ERIC network of biobanks and biomolecular resources.Footnote 136 Under the Withdrawal Agreement, during transition, the UK is to be treated as if it were a Member State. The Withdrawal Agreement’s financial settlement provisions oblige the UK to continue making contributions to the EU budget as if it were a Member State during 2019 and 2020, and pay a share of the EU’s budgetary commitments made under the 2014–2020 Multiannual Financial Framework (but which are not yet paid on 31 December 2020 when that framework comes to an end), on which Horizon 2020 funding is premised.
This means that access to EU funding for UK-based biobanks (and other research organisations) will continue during transition. After the end of transition, the UK could become a member, or an observer, of BBMRI-ERIC, if the Assembly of Members of BBMRI-ERIC grants its approval. The Assembly must do so on the basis of agreement of at least 75% of the Members, representing at least 75% of the Members’ annual contributions. This means that no single Member of BBMRI-ERIC has a veto. At present, only EEA states are members (Norway included), but there is no legal impediment to a third country becoming a member.Footnote 137
4.2.3 Domestic Implementation of the EU-UK Withdrawal Agreement
The Withdrawal Agreement requires the UK to render its obligations under the EU/UK Withdrawal Agreement into domestic law through domestic primary legislation.Footnote 138 As the UK is a ‘dualist’ state, provisions of an international agreement are conceptualised as an executive act, and do not have automatic legal effect in its legal systems.
The European Union (Withdrawal Agreement ) Act 2020 provides for the continued application of the European Communities Act 1972 during transition. This means the continued supremacy and direct effect of law agreed between the UK and the EU (that is, the Withdrawal Agreement). In effect it creates a new source of law in the UK’s constitution: that of Withdrawal Agreement law, in the same way that the European Communities Act 1972 is, in the words of the UK Supreme Court in Miller, the ‘conduit pipe’ by which EU law becomes ‘an independent and overriding source’ of UK law.Footnote 139
The benefits of this approach are that it secures compliance with the provisions of the Withdrawal Agreement, Article 4, which provides that:
The provisions of this Agreement and the provisions of Union law made applicable by this Agreement shall produce in respect of and in the United Kingdom the same legal effects as they produce within the Union and its Member States. Accordingly, legal or natural persons shall in particular be able to rely directly on the provisions contained or referred to in this Agreement which meet the conditions for direct effect under Union law.
The United Kingdom shall ensure compliance with paragraph 1, including as regards the required powers of its judicial and administrative authorities to disapply inconsistent or incompatible domestic provisions, through domestic primary legislation.
The provisions of this Agreement referring to Union law, or to concepts or provisions thereof, shall be interpreted and applied in accordance with the methods and general principles of Union law.
The provisions of this Agreement referring to Union law, or to concepts or provisions thereof shall in their interpretation and application be interpreted in accordance with the relevant case law of the Court of Justice of the European Union handed down before the end of the transition period.
In the interpretation and application of this Agreement, the United Kingdom’s judicial and administrative authorities shall have due regard to relevant case law of the Court of Justice of the European Union handed down after the end of the transition period.
Further, there is significant jurisprudence, including from the House of Lords (the predecessor to the UK Supreme Court, the highest court in the land), on the meaning and effect of the relevant parts of the European Communities Act 1972. In particular, the Factortame rulingFootnote 140 confirms that domestic legislation, irrespective of its date, that cannot be consistently interpreted with directly effective, validly adopted EU law, must be disapplied. This approach thus entails significant legal certainty and clarity. It is a better approach than either considering the Withdrawal Agreement as ‘ordinary’ international law (which would potentially fail to fulfil the UK’s Withdrawal Agreement obligations despite the presumption that Parliament intends to comply with the UK’s obligations in international lawFootnote 141) or using the words of the Withdrawal Agreement itself (which would introduce uncertainty about the direct effect of the Withdrawal Agreement, as there is no universal rule in EU law as to direct effect of provisions of treaties to which the EU is a party: it is dependent on the context, aims and objectives of the treaty concernedFootnote 142).
In the biobanking context, the consequences are that the decision of the UK to ‘switch back on’ the existing obligations under the European Communities Act 1972 makes it easier for the EU to take the view that the UK’s data protection regulatory environment is sufficiently protective of personal data to permit data flow into the UK. This goes to questions of adequacy decisions, standard contract clauses, codes of conduct and binding corporate rules, which are the basis on which data from EU Member States (and other countries) may be shared with UK-based biobanks after Exit Day.
4.3 The Law If ‘No Deal’ Brexit
4.3.1 The EU’s Position
When we originally wrote this chapter, it was not clear whether the EU and UK would agree a Withdrawal Agreement. At that time, the EU had been consistently clear in its position that, in the event of a No Deal Brexit, the UK would have been treated as an ordinary ‘third country’. The implications for matters such as access to EU funding, for instance through the UK’s participation in BBMRI-ERIC, were that the existing legal arrangements would have been immediately ceased, unless another legal provision was adopted to respond to the exigencies of ‘No Deal’ (so-called ‘managed No Deal’). In January 2019, the European Commission proposed, on an extraordinary legal basis, a transitional provision for 2019,Footnote 143 which in effect would have allowed the UK, and UK-based entities, to be treated as eligible for funding, provided that the UK had paid into the EU budget, on a monthly basis. This proposal was not adopted, but it could be if ‘No Deal’ becomes politically more likely again, for instance in the run up to 31 October 2019. The obvious problem with such transitional measures is that they cannot deal with difficult broader decisions about the nature of the EU-UK relationship after Brexit, which will need to be determined before longer-term collaborative funding arrangements can be secured.
The European Data Protection Board’s February 2019 information note is consistent with the position that the UK would have been treated as an ordinary ‘third country’ immediately on a No Deal Brexit:
In the absence of an agreement between the EEA and the UK (No Deal Brexit), the UK will become a third country from 00.00 am CET on 30 March 2019. This means that the transfer of personal data to the UK has to be based on one of the following instruments as of 30 March 2019:
Note that none of the listed bases of lawful transfer of personal data to the UK, in the event of No Deal Brexit, is that of an adequacy decision. It might be thought that this would have been the most convenient solution for all concerned, including EU-based biobanks which are networked with UK-based biobanks and wish to continue to share data. As noted above, in Sect. 4.1.3, the UK has affirmed that it will regard the EU’s data protection provision as adequate for the purposes of transfers of data to the EU. The GDPR provides that the Commission may decide that a third country, or one or more specified sectors in that third country (such as the biobanking sector), ensures an adequate level of protection of personal data. Transfer of personal data from the EU to a country or sector within a country that is subject to such an adequacy decision is lawful under the GDPR without any further specific authorisation.Footnote 145 The UK has become a ‘third country’, but its law, up until, the end of transition, was (at least presumptively) compliant with EU data protection law. Indeed, post-transition under the EU (Withdrawal) Act 2018, as amended by the EU (Withdrawal Agreement) Act 2020, the GDPR will become ‘retained EU law’, a part of the law of the UK. An adequacy decision seems the logical and practical approach.
However, adequacy decisions are formal acts, taken by the Commission, assisted by a committee and according to a specified procedure,Footnote 146 lasting for a period of up to 4 years, at which point they are reviewed.Footnote 147 Although, on duly justified imperative grounds of urgency, there is a power to adopt immediately applicable implementing acts revoking or withdrawing adequacy decisions,Footnote 148 there is no equivalent power to take an urgent adequacy decision. The GDPR sets the procedures through which adequacy decisions must be taken, and the EU institutions are not competent to depart from those procedures. To do so would have been ultra vires. Adequacy decisions are not suitable for the immediate legal ruptures implied by No Deal Brexit: to adopt an adequacy decision would be, in effect, to create a (partial) ‘Deal’, and would thus have undermined the EU’s negotiating position.
The CJEU has already found that aspects of UK data protection law are not compliant with EU law obligations, although not in the context of biobanking.Footnote 149 A January 2019 report from the UK Parliament’s Joint Committee on Human RightsFootnote 150 noted that the Data Protection Act 2018 may not provide as comprehensive a protection as Article 8 of the EU Charter of Fundamental Rights. The onward transfer of data from the UK to countries outside the EU is also an area of contention.Footnote 151
Furthermore, although the GDPR becomes ‘retained EU law’, as explained above, important changes to the GDPR are implemented by ministerial powers granted under the EU (Withdrawal) Act. Enforcement and remedial provisions also change: there will be no scope for dispute resolution within the European Data Protection Board, no obligation on UK courts to comply with rulings of the CJEU after the end of transition, and no jurisdiction of the CJEU to hear preliminary references from the UK courts.
All of the above explains why the EU’s contingency planning for a No Deal Brexit did not include adopting an adequacy decision with respect to the UK. This may become salient again if the EU and UK trade agreement negotiations fail. EU Member States may not lawfully adopt unilateral adequacy decisions: the power to do so rests with the European Commission only.
According to Article 44 of the GDPR, in the absence of a formal adequacy decision taken by the European Commission, or other basis for the lawful transfer of personal data, all data flows from the EU to the UK would immediately be unlawful under the GDPR.Footnote 152 If the EU does not take an adequacy decision to come into effect at the end of the transitional period, biobanks seeking to lawfully transfer personal data to UK-based biobanks must therefore rely on alternative bases for that data transfer.
As noted above, these include binding corporate rules; standard contractual clauses; codes of conduct; and ‘special circumstances’. We were unable to locate examples of binding corporate rules in the context of biobanking which are in the public domain, or plans for adopting such rules in the event of No Deal Brexit, or no EU-UK free trade agreement at the end of transition. Several multinationals in the pharmaceutical and biomedical industry have successfully adopted such binding corporate rules.Footnote 153 Given that this approach is more likely to be adopted by commercial biobanks, it is not a surprise that such plans are not available for us to scrutinize. In general, they are costly and time-consuming to put in place.
The most likely mechanism for lawful data transfer from an EU Member State to a non-commercial biobank in the UK in the event of No Deal Brexit was on the basis of standard contractual clauses. Standard contractual clauses may be approved by the competent supervisory authority in any Member State, provided they comply with the conditions set out in the GDPR.Footnote 154 In February 2010, the European Commission issued a template for standard contractual clauses (controller to processor) under the Data Protection Directive.Footnote 155 The GDPR provides that this template remains in place until it is replaced under the GDPR’s new arrangements.Footnote 156 The Commission Decision provides that the template may not be varied, although further commercial clauses may be added. This inflexibility may present some difficulties for data transfer from the EU to a UK biobank. Further, this template will apply only where the data controller is in an EU Member State and the processor is in the UK. It will not apply in a situation where the UK-based biobank is the data controller and hosts personal data with an EU-based processor.
Most importantly, moreover, the status of standard contractual clauses as a basis for data transfer to third countries is currently the subject of litigation before the CJEU. This litigation process was not completed before Exit Day, adding to the levels of uncertainty. Case C-311/18 Schrems II was referred to the CJEU for a preliminary ruling by the Irish High Court on 9 May 2018. The AG Opinion was issued in December 2019, but the CJEU may not make its decision until after the end of transition.
One of the key questions of contention is the consistency of standard contractual clauses with the requirements under EU law for data subjects to access effective remedies for violations of their rights. An important element of standard contractual clauses as a basis for lawful data transfer under the GDPR is that the contract gives data subjects specific rights, even though the data subject is not a party to the contract. Providing effective judicial remedies for private parties is a distinctive feature of EU law in general. These questions engage application of both the GDPR’s requirements and those of the EU Charter of Fundamental Rights, Articles 7 (privacy); 8 (data protection) and 47 (right to an effective judicial remedy).
Here the UK’s amendments to the GDPR, as ‘retained EU law’, through the relevant EU Exit Regulations, noted above in Sect. 4.1.3, are important. Will the UK arrangements for remedies and enforcement suffice to secure adequate protection from the point of view of the EU? Bear in mind, first, that the EU Exit Regulations remove all obligations on the UK, or entities within the UK, to cooperate within the structures of the EU, or to exchange information with the European Commission, including in matters of enforcement.
Further, and perhaps more seriously, the EU Exit Regulations,Footnote 157 the amended Data Protection Act,Footnote 158 and the European Union (Withdrawal) Act,Footnote 159 all seek to prevent future developments of EU law that arise through interpretations of the CJEU becoming applicable in the UK. If Schrems II is decided after the end of transition, Exit Day, any principles of EU law deriving from that decision would not necessarily be applied in the UK, and data subjects in the UK would not necessarily be able to rely on those principles in seeking to remedy any breaches of their data protection rights.
In view of those concerns, it may be preferable for the biobanking sector to move expeditiously to adopt a sector-specific code of conduct for health research, and have this code approved under Article 40 of the GDPR. Such a code of conduct would provide a lawful basis for transfer of data to UK-based biobanks from the EU post-transition.
One final possibility is that EU-based biobanks transfer data to UK-based biobanks on the basis of ‘special circumstances’.Footnote 160 This may be the most appropriate basis for lawful transfer following transition where data is being shared in the context of an on-going clinical trial. A patient (data subject) already enrolled in that trial, and who perhaps cannot access any other licensed treatment for their condition, would need to secure continued data transfer to protect their ‘vital interests’. For pure research, it might be feasible to argue that ‘safeguarding legitimate interests of the data subject’ justifies continued sharing of data to the UK, at least in the context of an existing research project which may result in some benefit, however remote, for the data subjects concerned. UK Biobank certainly seems to believe that legitimate interests and the public interest are an appropriate basis for its data processing, although whether it is sufficient for data transfer is unclear. There are also discussions regarding a possibility to rely on ‘public interest’ when collaborating with the US for transfers not covered under the EU’s adequacy decision for the US (the ‘privacy shield’).Footnote 161
The position with regard to personal data that has already been transferred from the UK to the EU remains uncertain. By analogy with the revocation of an adequacy decision under Article 45 (5) GDPR, the effects of the UK leaving the EU on the lawfulness of the transfer of the data should not have retroactive effect. In practice, unless the European Data Protection Board or European Commission takes a decision applicable to the whole EU, it is likely to depend on the view adopted by the supervisory authority in the relevant EU Member State. Hence, it may be that data is processed by biobanks in the EU in a situation that is technically unlawful, or perhaps better described as a situation of ‘a-legality’,Footnote 162 failure of the EU and UK to reach agreement on the matter.
4.3.2 The UK Position
The UK government’s position was to seek to secure as much continuity as possible in the event of No Deal Brexit, and presumably also a failure to reach agreement on a future trade relationship. For Horizon 2020 funding, the UK Chancellor announced in August and October 2016 that the UK government would guarantee funding for UK participants (but not for their EU collaborating partner organisations) in Horizon 2020 projects in place before Exit Day. A further ministerial statement made to Parliament on 26 July 2018,Footnote 163 and accompanied by a statement of liabilities in a departmental Minute laid before the UK House of Commons, assures UK organisations (which includes biobanks) that
The Treasury is also guaranteeing funding in event of a no deal for UK organisations which bid directly to the European Commission so that they can continue competing for, and securing, funding until the end of 2020. This ensures that UK organisations, such as charities, businesses and universities, will continue to receive funding over a project’s lifetime if they successfully bid into EU-funded programmes before December 2020.
The details of how this commitment would have been administered in practice in a No Deal Brexit situation, where funding is shared among consortia involving UK organisations and those in EU Member States, were far from clear, and the UK government has recognised that this was the case.Footnote 164
If the UK Clinical Research Collaboration’s Tissue Directory and Coordination Centre were excluded from BBMRI-ERIC and/or other EU funding and collaboration arrangements, it may look to intensify other collaborations, for instance with projects in the USA, Russia and China. This approach would obviously only be legally viable if the sharing of data under such collaborations complies with the post-Brexit and post-transition UK regulatory provisions, as outlined above.
The UK government’s position under a No Deal Brexit was that there would be no immediate change to data protection law,Footnote 165 and this presumably remains the case post-transition. The EU (Withdrawal) Act and secondary legislation based on it, such as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, discussed above, make no distinction between different types of Brexit. At the end of transition, the Data Protection Act 2018 would remains in place, and the GDPR changes from being EU law to being ‘retained EU law’. For data transfers from the UK to the EU, EEA and third countries deemed adequate by the EU at the end of transition, the UK has in effect taken an adequacy decision under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2), Regulations 2019, schedule 2, article 102, inserting a new Schedule 21 into the UK GDPR.
The assertion that there would be no immediate change to data protection law is self-evidently not the case with regard to data transfer from the EU to the UK, as without an adequacy decision, or other basis on which data may lawfully be transferred to a UK-based entity, such as ‘appropriate safeguards’ (standard contractual clauses, a code of conduct, or binding corporate rules), or ‘special circumstances’, the EU will treat the UK as non-compliant with its data protection law. This is also the case for data transfer from other countries which currently rely on the UK’s membership of the EU to allow data transfer into the UK. As noted above, the consequence for the activities of biobanks which rely on sharing of data with UK-based biobanks is that any continued sharing of data would potentially be unlawful. Given the difficulties with adequacy decisions, and the need for recognition from the EU, or a national competent authority in the EU, of standard contractual clauses, codes of conduct or binding corporate rules, this situation may be one in which the ‘special circumstances’ provision of the GDPR may be tested.
However, even with regard to data protection law as applicable solely within the UK, a better description of the legal position is that there would be no immediate change to the content of data protection law (apart from the changes outlined in Sect. 4.1.3 above), but that the source of data protection law would change. With this change of source, there may also be implications for the effects of the relevant law. Indeed, the UK government’s December 2018 guidanceFootnote 166 itself described the GDPR as ‘sitting alongside’ the Data Protection Act, which is a quite different to the pre-Brexit legal position to the effect that the GDPR is a source of supreme EU law.