Brexit busting – what is going to happen to data transfers after Brexit?

24 September 2018

Background

We all know about the GDPR: if you don’t, we offer a half-day training course in the subject so please let us know if you need training in this area, or just need an update as part of continuing training for staff. The thing in that GDPR that has grabbed the headlines is the massive fines that are available to punish those who breach its principles.

Much of the GDPR in fact replicates existing law and builds on it. One of those areas that has received considerable attention in the GDPR and which now contains much more detail is in the area of international transfers of personal data into and out of the EU. Basically, modern business needs to be able to transfer personal data across borders, but the route to doing that legally under the GDPR is not so easy. Brexit is about to make it much more difficult.

The problem has been highlighted in one of a series of notes published by the UK Government looking at what would happen in the event of a no-deal Brexit. The one on data transfers to and from the EU is here.

How can you transfer personal data internationally  under the GDPR?

The GDPR allows for various separate regimes for transferring personal data across boundaries – and we will look at them before considering what Brexit may do to this structure.

Adequacy decisions

The EU can make an adequacy decision in respect of a particular country, or sector or territory, by which it is saying that it has decided that the level of protection given to personal data is adequate to allow the transfer of personal data without further legitimising steps. Note that this does not give the transferor or transferee carte blanche to do what they like with the personal data – they still have to comply with the GDPR’s provisions.

There are 12 adequacy decisions in place at the moment, but this should not give rise to complacency. Two of the countries are Andorra and the Faroe Islands, neither exactly known for its leading role in data processing. Another is the Privacy Shield in the USA, which replaced Safe Harbor: you may recall that Safe Harbor was struck down as incompatible with the EU’s data protection regime, and a further challenge is being made before the Court of Justice of the European Union regarding the Privacy Shield. It too may be struck down shortly.

Adequacy – the UK’s position after Brexit

It seems to have been an assumption of the UK Government that, by adopting (by and large) the GDPR, it would be fast-tracked through to adequacy. This assumption has proved to be wrong. The UK Government is very reasonably taking the line that it will recognise as adequate transfers of personal data to the EU after Brexit, but the EU Commission is taking the rather more petulant line that it will not even start any assessment of the UK’s adequacy until it has actually become a third country. So it appears that transfers TO the EU will be fine, but transfers FROM the EU are going to be rather more problematic.

Against the UK Government’s assumption that it would breeze through an adequacy assessment and get a quick decision in its favour, there are a couple of problems that stand in the way of the UK getting a quick decision on adequacy.

Firstly, getting an adequacy decision is  not straightforward and can be very time-consuming. Japan seems likely to get an adequacy decision in its favour (and a draft has recently been published) but this took years and a trade deal. Other countries that have adequacy decisions have had to wait for the privilege – tiny Andorra had to wait around two years and Israel nearly four years.

Secondly, the UK has a different attitude to law enforcement from much of the Continent and this is relevant to the surveillance undertaken by the UK Government. This has come under the spotlight in the recent decision of the European Court of Human Rights in Big Brother Watch v United Kingdom to the effect that the UK’s surveillance regimes set out in “RIPA” (Regulation of Investigatory Powers Act 2000) fell foul of the rights to privacy and freedom of expression in the European Convention on Human Rights. RIPA is largely replaced by the Investigatory Powers Act 2016. This finding could be highly relevant to an assessment of adequacy and might well hold up a finding of adequacy.

Standard Contractual Clauses (SCC’s)

These have been published by the EU Commission and remain valid under the GDPR. They are most obviously of use where there is no adequacy decision. There are three different versions and you can take a look at them here. As you can see, there are two templates dealing with a transfer from an EU controller to a non-EU or non-EEA controller and one dealing with a transfer from an EU controller to a non-EU or non-EEA processor.

Problems with the Standard Contractual Clauses

It is immediately apparent that there is no template dealing with a processor to processor transaction.

The next problem is that they may have a short shelf-life, as litigation is currently pending regarding a challenge to the validity of one of the template provisions. It is by no means unlikely that a decision will strike it down as happened with the Safe Harbor.

However, just at the moment, these seem like a good way of ensuring legitimate data transfers between the EU and the UK after Brexit – until we find out about the legal challenge to them, in which case this method of transfer may disappear.

Binding Corporate Rules (BCR’s)

The rules for BCR’s have been continued in the GDPR with more elaboration. There has been relatively little interest in these as a means of securing transfers but large multinationals may well turn to them as a solution for their problems in guaranteeing international transfers of personal data within their own group of companies stretching across many jurisdictions.

The historical problem with using BDR’s is that they have to be approved by a national supervisory authority. What has been seen is that this requires a considerable amount of effort and can take a long time to secure. The supervisory authority is going to want to see that the applicant has in place strong compliance policies and data protection frameworks. Achieving recognition of this is not guaranteed.

One of the assumptions is that this area will see greater interest, not least because there is no current challenge to the legitimacy of BCR’s, though this situation might change at any time.

What else?

The GDPR has tried to move things forward by providing for certification mechanisms and approved codes of conduct as well as allowing for more standard contractual clauses to be approved by national supervisory authorities (and further approved by the EU Commission), but the appearance of these things lies in the future. There are other more limited derogations allowing for the transfer of personal data in specific circumstances, but these are limited in scope and regular transferors cannot rely on them as part of their normal business activities. You could of course try and get the data subject’s “explicit” consent, but seeking this in a meaningful way for a database of many thousands of data subjects is likely to be a painful experience, especially as the GDPR also requires that the data subject should be told in advance of the risks of the transfer in the absence of normal safeguards. Basically, if you do not fit within a fairly narrow category of situations allowing for international transfers outside the EEA, you are left with either not being able to transfer the data legally, or having to agree a contract and seeking authorisation of a national supervisory authority to proceed on the basis of the agreed clauses.

Conclusion

At the moment, the best ways forward seem to be relying on the Standard Contractual Clauses wherever possible or, for a multinational, seeking approval of Binding Corporate Rules. However, this situation needs to be kept under constant review, as the situation could change very quickly.