All at (Priva) Sea? Brexit and Data Protection

June 2016’s UK referendum on EU membership ushered in stormy waters between the UK and Europe. Four years on, and the UK is approaching the end of the transition period – but the waves continue to churn.

With January 1 looming as the date that the UK will leave the EU in real terms – with or without a trade deal – the recent climate has been characterised by tough talking and thunderous speculation over how close the UK and its biggest trading partner might be to agreement.

Across the business spectrum, the clouds of potential fallout are gathering. But with the free flow of data and stable data transfer mechanisms underpinning all sectors of the modern economy, what could Brexit mean for the transfer of data – and the professionals safeguarding that data?

Research has shown that data protection and privacy is one of the most important issues for consumers. The raft of regulation across the globe has placed an intensifying spotlight on data protection officers within organisations – and the issues are getting more complex.

No such thing as a data island

Data is big business, and three-quarters of the UK’s data flows take place with EU countries. But outside the EU, the UK will be a “third country” in data protection terms and can no longer take unhindered data flows to EU countries for granted.

Yet the UK also has a pivotal role to play globally as a gatekeeper for a substantial portion of the world’s data, according to Roxanne Morison, Head of Digital Policy at the Confederation of British Industry (CBI), a UK-wide organisation that represents 190,000 firms of all sizes, across all sectors.

“The UK has 11.5% of cross-border data flows and the largest data centre market in Europe. So being able to maintain the free flow of data both with the EU, but also the rest of the world, is incredibly important to our whole economy,” she says.

An adequacy decision is at the heart of continued future data flows between the UK and the EU – under the GDPR, the European Commission must be satisfied that the UK provides an appropriate level of protection for the rights of data subjects in Europe. Despite the UK having itself adopted the GDPR, the process is not a foregone conclusion once the UK is free to change its regulatory regime outside the confines of EU membership.

The data protection stakes could be high for the approaching deadline for a UK-EU trade deal. A trade deal is distinct from an adequacy decision – but Morison believes that the two will be closely linked.

“Like with everything, there’s an element of politics in this and if the political headwinds are positive and strong, I think that goes a huge way to making sure the negotiations can go well,” she explains.

She predicts that if the UK and the EU agree a trade deal, the likelihood of adequacy goes up. And, in the event they do not – a no-deal scenario – she believes that the likelihood will go down, though it is not impossible.

“Even though getting an adequacy decision from the EU Commission is a separate process, I think it would have political ramifications for those discussions. So I think getting an adequacy deal would be harder.”

The UK as “third country”: just another fish in the sea?

It’s not just political headwinds that the UK needs to pay attention to, however: 2020 has been a turbulent year in the courts for cross-border data transfers.

Earlier in October, the Court of Justice of the European Union (CJEU) passed a ruling that saw a clash between national security and data protection principles that could have significant consequences for a UK adequacy decision. The Court found that EU privacy rules have jurisdiction over national security rules requiring companies to collect and retain general and indiscriminate bulk communications data with security agencies – with implications for the UK’s acquisition and use of communications data by British Security and Intelligence Agencies.

In July, the same court struck down the Privacy Shield in the landmark Schrems II decision, which had allowed data transfers between the US and the EU over the issue of US surveillance laws, leaving the UK vulnerable to similar treatment over its pending adequacy decision n. The sharing of intelligence data between the UK and US had already caused some concern for future UK adequacy.

Arnold Roosendaal, Director of Privacy Company is frank about the possible implications of the October CJEU ruling for the UK.

“I think maybe in this case for the UK it will be problematic because they need to get this adequacy decision and, as long as this regime is in place, they cannot support their findings or their ideas that they have adequate protection of personal data. They are sort of in a similar situation now as the US with no longer being valid of the Privacy Shield, which was decided last July. They also lack an adequacy decision, so there is no clear regime for transferring data to the US – and this will be the same for the UK, I’m afraid,” he says.

With the Privacy Shield sunk, there are other methods of transferring data between the EU and the US (and other third countries), notably standard contractual clauses (SCCs).

A sailor went to SCC

SCCs are sets of contractual terms and conditions, signed up to by the sender and receiver of personal data. When the data leaves the EU – and the auspices of the GDPR – an SCC contains contractual obligations to safeguard that data and maintain the protections that the GDPR would afford, despite the data entering a third country.

Morison takes heart from the current validity of SCCs as determined by the CJEU in the Schrems II decision.

“I think the good news was the SCCs were upheld as a viable mechanism of international data transfers. And that’s really important in a Brexit context, because if the UK was to leave without a [adequacy] deal, SCCs would be one of the main mechanisms to rely on for international data transfers. So the fact that they were upheld by the ECJ is important and good news for businesses,” she says.

In the absence of an adequacy decision, SCCs will undoubtedly be a lifeline for many businesses in continuing transfers to the EU post-Brexit. Nevertheless, crucial caveats remain on their use.

Data exporters must apply SCCs on a case-by-case basis to risk assess the recipient country’s data protection regime and practice. This has always necessary for the application of SCCs under the GDPR, as the principle of accountability in practice. But the absence of the Privacy Shield has placed a spotlight on that risk assessment.

“There’s more responsibility on businesses to verify that the safeguards that are offered by SCCs are actually enforceable in third countries, which is an interesting legal precedent to set for businesses in terms of them having more agency and responsibility in terms of assessing countries that they’re sending data to,” says Morison.

She adds: “Equally for regulators, DPAs now have, again, a precedent to suspend transfers of personal data to a third country if they don’t think the safeguards offered by SCCs can be enforced there. So DPAs again now have more responsibility to look at the overall data protection regime and where data is being transferred in and out of a country that they oversee.”

Undercurrents of European unease over SCCs are already apparent. In September, the Irish Data Protection Commission ordered the suspension of SCCs in EU-US data transfers, although this is currently stayed pending a challenge by Facebook.

Updated guidance on SCCs were released last week by the European Data Protection Board, forming a “roadmap” for data exporters to establish whether supplementary measures to SCCs are necessary, and identify effective ones. The recommendations contain specific “use cases” suggesting that tools such as encryption and pseudonymisation might be considered effective measures if certain conditions are upheld. This guidance is currently set for public consultation.

The EDPB has also set out “European Essential Guarantees”, for determining whether third country laws allowing access to data for the purposes of surveillance constitute a “justifiable interference” with privacy and personal data protections, and would therefore be GDPR-compliant.

Focus among many affected businesses has turned to determining additional safeguards or a toolbox that could supplement SCCs, for example “transfer impact assessments”. Ahead of the release of the guidance, organisations and legal advisers had also been developing guidelines, for example, the BSA The Software Alliance, a membership organisation for the global software industry, distilled seven principles to safeguard data in connection with law enforcement or national security-related requests from governments. The BSA principles include the establishment of clear processes for responding to government requests, requiring any such requests to be narrow and lawful (and rejecting or challenging any deemed to be unlawful), communicating the request to users, employing technical measures (such as encryption), and transparency.

The reverberations of the Schrems II decision will undoubtedly be felt for some time while EU and US authorities work to devise a replacement mechanism for the Privacy Shield, or more clarity emerges. In the meantime, uncertainty for businesses wishing to transfer data between the two jurisdictions remains – and British businesses are likely to be paying extra attention to any movement on US adequacy.

“I think the overwhelming sense that we got from businesses is that Schrems II is kind of manageable in the short term, there are quite clear steps that you can take. But it raises a lot of existential questions over the nature of international data transfers. I think what happens in the courts over the next two, three, four, five years is going to have huge implications for how that regime is set up – and certainly how the UK looks to interact with the rest of the world,” says Morison.

Shoring up

Preparedness for leaving the EU without an adequacy decision is not uniform across the UK economy according to Morison, who highlights the difficulties for SMEs in particular, who are disadvantaged by the administrative burden of establishing mechanisms such as SCCs.

“When it comes to Brexit preparedness, data protection is one of about 40 areas that businesses have to consider and then prepare for. Firms with more resource in these department obviously have the capacity to think about these issues and take mitigating action,” she says.

Islands in the stream

Roosendaal, whose clients are typically commercial organisations established internationally dealing with large datasets, has seen many UK-headquartered companies either moving their HQ or opening additional offices in EU countries such as Ireland, Germany and France. But it’s not a fail-safe plan, he says.

“I think if we look at the steps that companies are taking, stepping out of the UK and having your establishment somewhere else in the EU, that’s a solid solution. But as long as you still have your business in the UK, you will need this transfer of personal data one way or another. So it doesn’t really solve the problem as long as any kind of business or personal data transactions remain with UK,” he says.

Instead, data localisation could be a solution.

“We are, in many cases, trying to get a grasp on how they could make distinctions within their organisation – so if they can split it between different sections, different types of data sets, different types of transfers,” he says.

For example, where employees are divided between the UK and the EU, storing HR information in the relevant employee jurisdictions is “not really that far-fetched,” he says. Salary and benchmarking, for example, could feasibly be done without exchanging specific data at an individual employee level. Similar distinctions can be made when it comes to the storage of different types of client data with differing degrees of sensitivity, applying a risk-based approach.

“We really try to help these organisations along with making the distinctions, making the analysis – like what kind of data do you have, for which purposes, what’s the core business, is it client data, is it customer data, are you having different establishments where you can make distinctions?” He explains.

If widespread data localisation becomes a preferred solution, this could have existential impacts for some UK-based businesses, particularly those with a core business of processing personal data as a service, as EU clients and controllers can relatively easily search for an alternative, EU-based service provider. For large-scale providers such some of the US market leaders, this might be easier to sidestep than for smaller operations.

A May 2020 policy paper by UCL European Institute suggests that some US firms might have already been preparing for such an eventuality:

“… there is already evidence that U.S. technology firms are preparing for this. U.S. firms have been investing heavily in European data centres for several years and this has continued unabated, with Google announcing plans in 2019 to invest $3.3 billion in European data centres.”

For the UK, the impact could be significant. A 2017 report commissioned by techUK stated that “According to one study, the economic impacts of data localisation on the EU as a whole would be a reduction in GDP of 0.4-1.1%, in private investment of 3.9-5.1%, and in services exports of 1%.”

Budget

As when GDPR was launched, Brexit might necessitate additional budget for data protection teams looking to remain compliant, or futureproof compliance – though unlike GDPR, the impact will not be felt equally across all businesses in all sectors. The companies with the biggest Brexit exposure will need the most additional resources, though these might be temporary.

However, rather than the wholesale structural and process change that GDPR wrought, Brexit adjustments will be part of a general evolution within data protection, Roosendaal believes.

“Things will not drastically change because of this; it’s more like we see the general movement going on with the switch towards demonstrating compliance, showing that you’re in control, having the internal audits, having GDPR compliance sessions. Whereas in past years it was more like: Ok we have to fix things, and we have to introduce procedures and all kinds of controls. Most things are in now place, in general, and now it’s really getting towards the more difficult, high level questions and demonstrating compliance and auditing.”

With GDPR here to stay, and the UK committed to remaining part of that framework, at least for now, eyes are on the European Commission for its adequacy decision – but also on the UK to see how it will continue its approach to data protection post-transition, and particularly on the UK’s National Data Strategy.

For businesses, who stand to gain or lose by the data choices made in the coming months, some of which will take place outside of UK sovereignty, the difference could be plain sailing, or sinking.