A moment of clarity?
So, if last week’s election result did anything, it may at last have provided clarity on the state of data protection for British businesses and those operating in the UK market, and in particular data transfers between the UK and the EU. Given the size of the new Conservative majority it is (almost) inconceivable that the Prime Minister will not be able to push through his deal towards the end of the week. Brexit is now inevitable.
That being so, it is worth a quick review of the status of the data protection relationship between the EU and the UK under that deal, the steps that need to be taken on both sides; and while we are at it, perhaps to speculate a little on future state…
The deal
The deal and transitional arrangements agreed between the UK Government and the EU provide a degree of certainty and, importantly, consistency between the current data protection regime and what comes next, at least during the transition period, which is likely to run until the end of 2020.
There is no need, according to the published document, to have an Adequacy agreement at that point, though one will happen quickly. While the UK will no longer have its seat at the European Data Protection Board, it may (note: may) still be invited along to provide insight into specific issues (at the EU 27’s discretion it should be noted – it will have no ‘right of access’). This will continue through the transition period, for as long as that lasts or until it is replaced by something more solid – for example a UK Adequacy finding.
Unilateral acceptance – getting data out is easy (in, less so).
The position of the UK government on data transfers is that they will continue to honour the existing transfer compliance arrangements, and, whatever happens (at least in the short-term), the EU Standard Contractual Clauses, Binding Corporate Rules, Adequacy Findings and Privacy Shield will all continue to be recognised, unilaterally, by the UK – meaning that UK-based firms can rely on all of those methods to underwrite their international transfers just as they do now. The challenge will come where there needs to be reciprocal arrangements, and, in particular where the data is coming from the EU, or may otherwise be subject to GDPR protections.
It should be noted that the Deal only covers transfers between the EU and UK – not with other jurisdictions. So, the UK will need to approach other governments to negotiate data transfer arrangements anew and bilaterally – the most obvious example being Japan, where the reciprocal arrangement which came into force at the end of January 2019 has had to be be renegotiated between Japan and the UK.
(In the long run, both Japan and the UK will need to be sure that changes in the UK’s posture on privacy issues do not indirectly affect Japan’s own adequacy status – onward transfers to third countries were specifically called out by the EDPB when the Adequacy decision was under review, and the UK will count as such, post-transition and if no UK Adequacy finding is in place.)
Likewise, US companies with Privacy Shield in place will need to ensure that they update their registration to specify that they are extending their registration to include transfers to the UK, as well as the EU – otherwise transfers based on those Privacy Shield arrangements would not be lawful under the UK Data Protection Act 2018.
What to do?
In the short-term, transfers to and from the EU should be covered by the transition agreement. However, while a year may seem like a long time, to those who have been involved in GDPR and latterly CCPA preparedness, a year is one of those elastic timeframes – when changes are announced, they rubber band is pulled back hard, only to snap back and compress rapidly… so, thinking, and acting, ahead of time is the best option.
Once the transition phase is over, the UK will become a Third Country. It may receive an Adequacy finding – either wholly or partial – but if not, to receive GDPR-protected personal data, UK firms will need to ensure that they have a mechanism in place.
Transfer mechanisms do, of course, exist already that permit data to be sent from the EU to third countries. Companies with Binding Corporate Rules (BCRs) in place are in a strong position, as these findings will be respected (subject to regular reviews, as normal).
The EU Model Clauses (the SCCs) are also there precisely to provide for transfers to Third Countries – and it is to these that many will turn; they are comparatively easy to implement, and may already be sitting within contracts. If not, EU clients and affiliates can be approached with the Model Clauses as a good option to add to existing Data Processing Agreements.
If you do already have SCCs in place, it will be important to verify the following elements;
- Whether the UK company or UK-based affiliates are listed separately as data importers;
- Whether the Controller needs to be informed of the change in status;
- Whether there are any onwards transfer restrictions (i.e. data can go to the EU to be processed but no further, or from another adequate country – such as Japan – but no further).
Of course, this is all predicated on the persistence of the SCCs as a valid legal mechanism. With the opinion of the Advocate General of the CJEU expected any day now, the chessboard could be well and truly overturned – in which case, we can expect a flurry of activity by the Commission and the EDPB to get their house in order and issue a new set of SCCs post-haste – but whether that will happen in time to assist UK companies is another matter. In the longer-run, BCRs would seem to be the safer option.
What the future holds
Given how we have ended up here, it would be foolish to speculate overlong on the future relationship between the UK and trading partners in respect of data transfers. But there are a few areas which may give an indication.
The first of these is the very strident position of the ICO recently – the notices against both BA and Marriott seem to be putting a marker down for erstwhile EDPB colleagues that the ICO, better resourced and able to take on major brands, might just continue to be a useful ally, whatever the official status of the UK. France and Germany, with their own large fines, may of course resist this…
The largest initial question is whether the UK will receive adequacy status. The line that the UK Government has taken would seem to give the EU little wiggle room – if the UK has fully implement GDPR, it would be churlish to withhold it. However… one should not discount the economics of the number of firms relocating head offices and data centres (their own or outsourced) into the EU to head off problems post-Brexit.
Additionally, once outside the EU, the UK will no longer be able to rely on the national security exemption available to member states – pragmatically, one could again argue that it would be churlish to turn down Adequacy on those grounds. But the UK’s participation in the Five Eyes programme, the PRISM programme and other intelligence operations – as well as the likelihood to significant changes in the UK Human Rights Act which may affect compatibility with the European Convention – might well give the Commission pause for the reflection.
One way through this could be a UK Privacy Shield – which would, in the same way as the US version, almost certainly be subject to challenge, review and scrutiny over many years, bedding in uncertainty (again, get working on those BCRs!).
And in the long run, there is nothing to suggest that the UK would not start to plough its own furrow in defining data protection. The GDPR is hardly the last word, as we’ve seen in the growing body of privacy statute in the US – and the UK has some strong history in developing law in this area, albeit with a different emphasis (some might say a more pragmatic emphasis) than some European neighbours.
The emphasis on the tech sector in the UK will mean that the country will be well-placed to start to develop in perhaps a slightly different way – is the unilateral declaration of recognition the starting gun on a freer approach to handling of personal data by corporations and governments? If so, I would urge caution. The use of data by aggregators and corporations may be a short-term golden egg, but it is one that may be laid at the cost of individual privacy and freedom. Throw in use of data political parties and nation-states and there are definite risks which we are already seeing crystallise – for example, the inability of the Electoral Commission and others to act on social media campaigning.
Such a move might also cause problems outside of Europe – as US jurisdictions and others (including Japan) start to tighten up controls, and put the individual first. Whatever happens, with so much at stake and in play, it’s going to be an interesting journey to observe – did I say observe? I meant take… after all, this is one that will undoubtedly affect us all…
Some content in this blog was originally published here, and copyright of that material is owned by NTT Security (UK) Ltd.
Privacy. Data. Ethics. 