Brexit and data transfers: Is your business ready?

The effect of the United Kingdom leaving the European Economic Area (EEA) is due to occur at the end of this year and on 1st January 2021, EU rules (including the General Data Protection Regulation, which many UK businesses put time and resources into adapting for) will no longer directly apply to the UK in the same way.

While we await more information on a Brexit deal, it appears increasingly unlikely that anything will be put into place by the exit date, and therefore businesses need to plan accordingly. 

Additionally, the European Commission has recently released new draft Standard Contractual Clauses (SCCs) for international data transfers following the Schrems II judgement revealing weaknesses in the safeguards the EU promotes.

It seems that in January 2021, the UK will be a third country to the EEA meaning a safeguard mechanism- most likely the SCCs - will need to be in place.

However, there are now questions around which safeguards should be used between the UK and EEA, and whether the SCCs will actually be acceptable. Therefore, a lot is changing for data protection- and quickly. 

The UK’s departure from the EEA will affect not only UK-based businesses with suppliers, clients, customers or subsidiaries in the EEA, but also EEA businesses with the same in the UK.

In this article, we examine the best practice steps to put in place to “Brexit-proof” your business before 31 December 2020.  

Data transfers to third countries (and, soon, the UK?)

The GDPR applies extra-territorially to any EU citizens regardless of where the businesses making offerings to them are based; businesses not based in the EEA, but dealing with the personal data of its citizens, must follow GDPR standards. In order to ensure that an EEA data subjects’ personal data is protected wherever it is transferred, stored or processed, the EU requires that a safeguard mechanism is put in place for so called “third countries”, being a country outside of the EEA without GDPR standard rules. 

The effect of Brexit (pending a Brexit-deal, which now seems extremely unlikely) will be that the UK becomes a third country. Therefore, EU businesses working with the UK, and UK businesses with any sort of activity in the EU, will need to review the data transfers they engage in to ensure they are GDPR compliant. For an in depth explanation of the safeguards which can be chosen, check out our previous article here. 

In brief, the options are an adequacy decision from the EU declaring that UK data protection rules offer a GDPR standard of protection or SCCs being put into place between parties (or Binding Corporate Rules (BCRs) approved by data protection authorities, which are not applicable for most businesses, and will not be discussed in this article).

Doubts over a UK adequacy decision

While the most desired safeguard would be an adequacy decision from the EU, there are questions around whether this will be possible. One reason for this is that adequacy decisions can take a very long time and normally require at least 3 years, so it is unlikely that the UK will receive a decision before the end of the 2020. 

More importantly, there are growing concerns that the UK will not receive an adequacy decision at all despite the fact it has transposed a large amount of GDPR rules in its own Data Protection Act 2018.

The Court of Justice of the European Union (CJEU) has recently raised issues over a UK piece of legislation (the Regulation of Investigatory Powers Act 2000 (RIPA)) which allows UK intelligence forces to order telecom and internet companies to hand over customers’ personal data. In Case C-623, the CJEU found that UK and EU member states cannot use “national security” measures as an excuse to override EU privacy laws in order to harvest peoples information from communication companies, and expressed concern over the UK’s surveillance laws. 

This suggests that an adequacy decision, which would be the simplest route to continuing data sharing, may not be granted. In any case, it is very unlikely that it will be granted before the Brexit date if it is granted at all- and of course, businesses need to start safe-guarding now.

So, what can companies do instead to prepare for Brexit, pending further guidance on an adequacy decision?

Can a business use SCCs for EU-UK transfers after Brexit? 

Normally, in the absence of an adequacy decision and if there are no BCRs, businesses can use SCCs in their contract, a model set of clauses that ensure both parties will follow a GDPR standard of protection and permit international transfers.

There are, however two problems with this!

• New SCCs- which version to use? 

Firstly, the CJEU has recently released a draft set of new SCCs following the Schrems II decision which invalidated the US Privacy Shield Certification allowing for international data transfers between the US and EU and raised questions around all international transfers. For a detailed analysis of this decision, check out our article here. 

In brief, after finding that the US did not offer an acceptable level of protection due to wide ranging surveillance powers and revoking the Privacy Shield, the decision also highlighted secondary concerns that companies could use the SCCs simply to circumvent inadequate data protection laws in the territory their contracting parties were based in. The CJEU has therefore drafted a new version of SCCs designed to ensure that exporters critically evaluate the territories they are exporting to or from, examining whether it would actually be possible for a party based there to provide a GDPR standard of protection (or if, for example, surveillance laws there are simply not compatible).

The new draft SCCs are currently open for consultation and this period expires on 10 December. It therefore seems very unlikely that the new SCCs will be adopted before the Brexit deadline, and therefore the old SCCs will remain the legal export tool for transfers between the EU and the UK.

This means that companies aiming to Brexit-proof will need to plan for another workaround from January 2021, to update the new SCCs, which is understandably time consuming. 

If a company really wanted to avoid this workaround, or a contracting party seemed unwilling to renegotiate, it might be possible to put in place the new (currently draft) SCCs in time for the Brexit date, since it is very likely that these will be adopted. 

However, the best practice next steps would be to ensure that the old, accepted legal SCCs are in place before 31 December 2020. The draft decision advises that companies with these SCCs in place will have a 1 year grace period from the date the SCCs come into force to update their contracts. However, of course, EU and UK companies should keep a close eye on whether or not the new draft SCCs are accepted, in which case the best practice would be to update them immediatly. 

• However, SCCs alone are not enough

Another problem with the SCCs is the growing discomfort around their use. At the moment, they remain legal- however, there is feeling from some experts that this may change, and advice from the European Data Protection Board (EDPB) explains that they are not enough on their own. 

The US Privacy Shield was invalidated by the CJEU because it felt that it was impossible for US companies to offer adequate protection since, even if a company took all steps it could to follow the GDPR, it is possible for the US government to collect and monitor mass amounts of data which is incompatible with GDPR principles.

While the CJEU suggested that SCCs could be used instead of the Privacy Shield for transfers between the US and the EU, there is growing feeling that this is not appropriate given the surveillance laws that cannot be avoided. In fact, soon after the decision, the same rights group that pushed for the judgment None Of Your Business filed 101 complaints that businesses are continuing to share data with the US under the pretence of using SCCs, despite the US having laws that are not compatible with the GDPR. 

The new SCCs put an onus on data exporters to ensure that data protection laws actually will be followed, and not just to use them in order to facilitate a transfer. So, the question is, are the SCCs appropriate for UK and EU transfers? 

The CJEU has already raised concerns over the UK RIPA allowing for mass surveillance, and given their similar concerns with the US surveillance laws, it seems that there may be tension when using the SCCs for EU and UK transfers since these UK surveillance laws cannot be avoided, but are not compatible with EU law.  Therefore, while SCCs remain the most effective method to ensure data flows between the EU and the UK pending an adequacy decision, companies need to think about doing more than having SCCs in place for best practice “Brexit-proofing”. 

• Supplementary measures

The EDPBhas advised that it will be examining the use of SCCs closely to ensure that state surveillance is adequately combatted with controls that totally stop it. 

The measures suggested are either strong encryption, to ensure that the data transferred cannot be accessed in transit and cannot be used in any other way than intended once it reaches a third country. This way, the data cannot be harvested for state surveillance. The second measure suggested is using a privacy enhancing technology that will prevent an individual from being identified- for example, pseudonymising parts of the personal data transferred, to the extent that the individual cannot be identified and any surveillance method could not deduce this information. 

Above all, companies should make sure they document their considerations when using SCCs. It will not be enough for UK and EU businesses to put SCCs in place without actively considering the possibility of state surveillance with RIPA in mind. If this is deemed low risk, the reasons for this decision must be documented. If not, the additional measures being put in place must completely stop the possibility of any state surveillance. 

We hope that this guidance is useful to any companies looking to Brexit-proof before January. If you have any specific questions or would like assistance in preparing for Brexit, please don’t hesitate to contact us!

Article by Lily Morrison @ Gerrish Legal, November 2020