Loath as I am to the considerable volume of column inches surrounding the UK’s attempts to leave the European Union (EU), the process, riven with uncertainty, poses significant questions for companies transferring data in and out of the UK, wherever they are located.
The UK’s data protection landscape has long been defined by the EU – with vocal agreement from the UK government. Should the UK leave – and in particular leave with no deal in place – that position changes radically, and so it seems appropriate to explore scenarios and what they may mean.
The position of the UK government on data transfers out of the UK is that it will honour the existing arrangements – so the EU Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Adequacy Findings and Privacy Shield will continue to be recognised, unilaterally, by the UK. UK-based firms can continue to rely on those methods to underwrite international transfers initiated from the UK.
This does not cover transfer from the EU into the UK and also relies on non-EU jurisdictions reciprocating. For example, to rely on Privacy Shield, UK firms will need to ensure that US processors extend their registration to include the UK – otherwise transfers based on those Privacy Shield arrangements would not be lawful under the UK Data Protection Act 2018. The UK government is working hard to match the EU-Japan adequacy finding, which will no longer apply to UK companies.
The yet-to-be agreed deal between the UK and the EU provides consistency with the current data protection regime, at least during the transition period. While the UK will no longer sit on the European Data Protection Board, it may be invited to provide insight into specific issues. The UK will, for transfer purposes, be treated as now during the transition period, or until it is superseded – for example with a UK Adequacy finding.
The deal only covers transfers between the EU and UK – not with other jurisdictions. As above, the UK will need to approach other governments to negotiate new data transfer arrangements – the most obvious example being Japan (which will also need to ensure that any UK adequacy finding on its part does not endanger its own EU finding).
With no deal in place, the UK becomes a ‘third country’ in General Data Protection Regulation (GDPR) terms, and transfers without a suitable compliance mechanism become unlawful. Transfers direct from other countries into and out of the EU will be unaffected, but any data transiting to, or via the UK, will be impacted.
The UK will seek to secure an adequacy finding; but may struggle to do so, in part because of the obvious political fallout, but also due to the challenges posed by UK laws around surveillance and intelligence co-operation – permitted for EU member states but a potential sticking-point once the UK becomes that third country.
Transfer mechanisms exist; existing Binding Court Rules will be respected, and Standard Contractual Clauses (SCCs) will work. It is to these that many will turn; comparatively easy to implement, and often already built into contracts. If not, they are an appealing option to add to Data Processing Agreements (DPA).
If you do have SCCs in place, it will be important to verify the following elements;
- That the UK company is listed separately as a data importer;
- Whether the Controller needs to be informed;
- Whether there are onwards transfer or other data sovereignty restrictions elsewhere in the contract.
Additionally, you will need to check whether international transfers are declared in your privacy notices, and that would now need to declare the UK (for EU companies) and vice versa as an international transfer.
For UK-based firms trading into the EU, if you can’t define a new ‘main establishment’. Rather, you will need to appoint a Representative under Article 27 of the GDPR – something that may be a challenge given the liability issues.
As a multinational, if you have been using a UK company as your main establishment or representative, you will need to find one within the new EU border. This does not necessarily mean moving staff, or your Data Protection Officer, but they must be ‘accessible’.
It is also worth noting that, in any kind of Brexit, UK firms also lose the benefit of the One Stop Shop mechanism on breaches – meaning laborious duplicate reporting to regulators.
And what if…?
The final two points worth referencing – in the event that Brexit doesn’t happen (revocation of Article 50), no additional arrangements would be required. Likewise, should the UK remain in the Single Market or come to a similar arrangement as Norway, it’s highly likely that no additional arrangements would be needed, depending on the exact terms.
A risk-based approach will assist in protecting your business – look at your UK-EU data flows, review DPAs to make sure that they cover the UK, review Representative arrangements, and check privacy notices. Data will flow – the task is to make sure it happens in a compliant way in a new landscape.
The UK Information Commissioner’s Office (ICO) is rapidly producing guidance and is worth a visit, whether you are importing to or exporting from the UK.