Floundering on the Rock(s) of data protection

I looked a bit further into the data protection situation re: British Overseas Territory Gibraltar (EU-UK-GIB-Spain), which is quite intriguing 🧐

There is a temporary “in-principle agreement” on this in the form of a “non-paper” (agreed at the almost literally last minute on 31 December last year), which is supposed to be translated into a proper treaty in the next months (first 6 months of 2021). See these two articles:

Spain and UK reach draft deal on post-Brexit status of Gibraltar (The Guardian, 31 December 2020)
What the post-Brexit Gibraltar deal means (Politico, 12 January 2021)

The actual text of the non-paper was leaked (of course).

Paragraph 22 concerns data protection:

“To facilitate the continued flow of personal data required for enhanced cooperation between Gibraltar and the EU, the [still to be drafted/finalised] EU/UK(GIB) Agreement will make provision for the General Data Protection Regulation and the Law Enforcement Directive to continue to apply to Gibraltar after December 2020 on a dynamic alignment basis.”

So in due course, the Gibraltar data protection regime will be (and will remain) (or at least is supposed to be and remain: see below) the EU GDPR — but the current situation is unclear. This was legal advice from May last year:

“With the UK’s withdrawal from the EU on January 31, 2020, Gibraltar also ceased to be part of the EU. The GDPR continues to apply in Gibraltar until the end of the UK-EU transition period and is expected to apply after that with some modifications. This resource will be updated to reflect any post-transition changes in law.“

The “in principle” “non-paper” of course does not have any real legal effect (it may mean that the parties should not act against the spirit of it, under the Vienna Convention on the Law of Treaties, but does not actually affect the law). So at the moment the EU GDPR no longer applies in Gibraltar — but neither is the intended new regime in place.

I can only conclude that until this new EU-UK(GIB) treaty is in place, Gibraltar is a third country (territory) that has not been held to provide adequate protection to personal data in terms of EU law (GDPR and LED!) and data can therefore not be freely transferred to it, neither in commercial contexts nor in law enforcement contexts.

I am also puzzled about how technically-legally the parties intend to give effect to the plan to make the General Data Protection Regulation and the Law Enforcement Directive “applicable” to Gibraltar under this still to be drafted/finalised treaty, and how they intend to ensure the intended “dynamic alignment”. 

The current situation is a mess — and the future one still very unclear.

Questions & Answers

Q: Does the UK Data Protection Act cover Gibraltar?
A: Gibraltar is a British Overseas Territory with its own laws. Formally, the UK has responsibility for its defense and foreign relations.  (In practice, as with other Crown Territories, the law tends to follow UK law quite closely – but not always fully). The UK DPA therefore did not apply in Gibraltar (or on the Channel Islands or the Isle of Man); they had and have their own legal rules/laws. A Gibraltar law applied the EU GDPR — still in place under section 6 of the European Union (Withdrawal) Act 2019. But without the EU Commission formally declaring Gibraltar provides adequate protection, that does not mean data can be freely exported to it from the EU. And this has not (yet) happened.

Q: Is Gibraltar covered by the 6-month GDPR third country standstill with the UK in the (not yet approved by the European Parliament) Trade and Cooperation Agreement?
A: No, see Article FINPROV.1(3): “This Agreement shall neither apply to Gibraltar nor have any effects in that territory.”