Transferring EU personal data across borders is a complicated and sensitive issue. Last year’s ruling on the invalidity of the EU-US Safe Harbor scheme, and the subsequent negotiations culminating in the EU-US Privacy Shield, are testament to this. Following the Safe Harbor ruling, US and EU lawmakers had to scramble to agree on the terms of the Privacy Shield, which will operate as a voluntary scheme for US data importers and which some EU privacy activists may yet challenge.
Obviously, when the UK exits the EU, it does not want to endure the tortuous, years-long journey taken by the US in developing the Privacy Shield. But the fact is that upon Brexit, the flow of EU personal data to the UK will no longer be lawful unless the UK is assessed as having an adequate level of data protection by the European Commission (EC). And to date, the EC has only assessed 11 countries as having adequate data privacy legislation.
So the burning question in this area is: Would the UK’s data protection regime receive an adequacy endorsement from the European Commission?
The UK’s current data protection position would at the moment likely obtain a favorable EC assessment. After all, the UK has transposed the EU Data Protection Directive 95/46 into UK law; therefore the UK’s domestic data protection laws now match the standards required by the EU.
However, the General Data Protection Regulation (GDPR) — set to become law across all EU member states on May 25, 2018 — casts a long shadow on the UK’s data protection position. The GDPR will replace Directive 95/46 and create an even more robust privacy framework that will include mandatory data breach requirements, the right to be forgotten, increased penalties and more.
The timing of the GDPR could prove problematic for the UK because it is very likely that the UK will still be a member of the EU when the GDPR takes effect in 2018. (The UK will remain a member of the EU for at least two years following its formal notice to leave, which has yet to be served.) If the UK is still an EU member at that time, then it will have to apply the GDPR. However, because the GDPR is a regulation (not a directive, like current Directive 95/46) the UK will not have to implement the GDPR through its domestic legislation.
This last point is important because immediately on the date the UK leaves the EU, the GDPR will cease to have legal force in the UK. At the same time, in the absence of an adequacy decision from the European Commission, the free flow of EU personal data to the UK will no longer be lawful. At this stage the UK could revert to the preexisting Data Protection Act 1998, which was based on Directive 95/46. However since the GDPR will replace Directive 95/46, the Data Protection Act 1998 is unlikely to pass muster with the European Commission.
It is therefore highly likely that the UK will be motivated to enact domestic legislation that matches the GDPR. Doing so will enable the UK to secure an adequacy decision from the EC to allow EU data to transfer to the UK. It’s important to note that the GDPR will apply to UK companies anyway where they offer goods or services to citizens in other EU countries.
The issue of national security and the powers of surveillance have been at the very heart of the data privacy debate between the EU and the US, including the protracted negotiations over the new Privacy Shield agreement. The UK could eventually find itself in a similar position to the US with regard to EU authorities, since the UK’s Investigatory Powers Bill is due to be enacted at the end of this year. The bill includes “bulk interception warrants,” which some in the EU believe will lead to mass surveillance similar to that performed by US authorities and which led to the demise of the EU-US Safe Harbor scheme. The conflict between national security and data privacy is such that even if the UK enacted legislation to match the GDPR, the EC could find the UK’s data protection controls inadequate due to EU data exposure to UK government mass surveillance.
In the absence of a finding of adequacy, the UK would be in a similar position to that of the US in the interim period after Safe Harbor and before the Privacy Shield. During that time, all transfers of EU data to the US required obtaining the consent of the data subject or the use of EU Standard Clauses or Binding Corporate Rules (BCRs). (For more information, see the Radius blog post “Now that Safe Harbor Is Invalid, What Are My Options?”)
US companies that do not participate in the Privacy Shield may still rely on these measures to legally transfer EU data to the US. However the European Court of Justice (ECJ) will soon decide whether data transfers supported by the Standard Clauses can meet EU privacy standards if the data is open to surveillance by the US National Security Agency. In the event of a ruling against Standard Clauses, this option would no longer be open to US organizations or to UK organizations if the UK finds itself in a similar situation.
In the event that EU Standard Clauses are deemed invalid, there would remain two legal means of transferring data outside the EU — either through the use of data subject consent or the use of Binding Corporate Rules (BCRs). Data Subject consent may be an adequate measure when volume and frequency of data transfers are low, but documenting consent for each transfer, and also providing individuals with the means to withdraw their consent, are huge undertakings for larger companies. My experience has shown that using the EU Standard Clauses has long been preferred to using data subject consent.
That leaves BCRs, which are internal privacy rules that uphold EU privacy standards when EU data is transferred to other non-EU companies within the same organization. Large multinationals have been gravitating towards BCRs given the uncertainty around the continued use of Standard Clauses. But using BCRs is only an option for transfers between related group companies. Moreover there is now some doubt as to how the BCR regime will work following the UK’s exit from the EU.
BCRs must be approved by a lead data protection authority located in one of the EU member states. Once satisfied, the lead authority will circulate the BCRs to other EU data protection authorities, each of which must authorize them. Following the UK’s EU exit, the UK’s data protection authority — the Information Commissioner’s Office (ICO) — will no longer play an active role in this process (unless specifically provided for during coming negotiations between UK and EU authorities). This will leave UK-headquartered businesses with the burden of having to approach a data protection authority in another country to operate as the lead approver. There is also concern regarding BCRs that have previously been approved by the ICO, and BCRs in the process of being approved. It is likely that another UK lead data protection authority will need to replace the current ICO role, but the issue (like so many others related to Brexit) remains for the moment uncertain.
In the midst of this uncertainty, and with the understanding that UK data protection requirements will continue to evolve, I’ll close this post with three points to keep in mind.
- Given that the UK will undoubtedly want to match the provisions of the GDPR, UK-established businesses should continue their GDPR readiness programs. (Remember that most international businesses will be subject to the GDPR anyway, where they are deemed to be a data
controller in another EU member state or where they offer goods or services to EU citizens from outside of the EU.) - It may take some time for the UK to secure an adequacy decision from the European Commission to allow the free flow of EU personal data to the UK. Should this not occur in time for the UK’s EU exit, businesses importing EU data into the UK will need to adopt additional security measures such as BCRs or EU Standard Clauses (contingent on their continuing validity).
- If you pursue the BCR option, consider the possibility of using an alternative lead authority to the UK’s ICO.
By Stuart Buglass, VP Consulting