EU data transfer mechanisms are in a state of flux, and the additional complications of Brexit can leave organizations wondering how best to navigate this current area of uncertainty. Several decisions need to be made: are new data transfer mechanisms needed following Brexit? If so, which one(s) should be implemented? What is the relevant timeframe? How can data flows be prioritized sensibly for remediation? These decisions will be influenced by other factors such as a need to replace Privacy Shield as a transfer mechanism, to supplement existing Standard Contractual Clauses (SCCs) following the Schrems II case, and to implement the European Commission’s new SCCs once they are available. Added to this is the likelihood that data transfers will remain a focus for privacy rights activists and therefore regulators, and that data transfer restrictions (or data localization) are becoming a significant geopolitical issue. Given this complexity, organizations need to ensure they understand the issues, and adopt a defensible strategy for reviewing and updating their data transfer mechanisms.
Impact of Brexit
Brexit has further complicated the data transfer issue, not least due to confusion about the date by which EU – UK data flows must be addressed. Technically, the UK left the EU on January 31, 2020, but a transition period preserved the status quo, including in relation to data transfers, until December 31, 2020. Accordingly, during 2020 EU entities could continue to export personal data to the UK as if it was still an EU Member State. On December 24, 2020, as the end of the transition period approached, the EU and UK announced the EU-UK Trade and Cooperation Agreement. To general surprise, this Agreement provides yet a further transition period for data flows, easing the immediate pressure to implement alternative arrangements. This new transition period of up to six months is to allow the European Commission time to conclude its assessment of whether the UK’s data protection laws meet the EU standard of adequacy under the EU General Data Protection Regulation (“GDPR”).
Likelihood of UK adequacy
An adequacy determination from the European Commission would ease data transfer restrictions between the EU and the UK, removing the need for EU organizations to implement a transfer mechanism such as SCCs or Binding Corporate Rules to send data to the UK. This would be a welcome outcome for business, but it comes with the price of tying the UK’s data protection regime to that of the EU. In other words, adequacy is not a ‘one time’ assessment, but is an ongoing process. The UK is thought to have a good chance of being considered adequate, given that the UK’s data protection laws incorporate and remain closely aligned with the GDPR. Indeed, if the UK is not successful, it is hard to see how other countries, particularly those whose data protection laws are not based on the GDPR, could succeed with an adequacy assessment. However, the assessment process also considers surveillance and government access to personal data. These areas are not within the competence of EU law but will be subject to scrutiny now that the UK has left the EU. It is possible that the UK’s surveillance laws may be criticized, either during the adequacy assessment itself, or perhaps as part of a legal challenge at some later date. Typically an adequacy assessment requires approximately two years to conclude, but the UK’s application is proceeding more quickly, and recent comments suggest the UK is confident that a decision will be made soon.
If adequacy is not granted …
If the UK does not receive an adequacy decision, transfers of personal data from the EU to the UK will require a data transfer mechanism. Many organizations took steps in 2020 to prepare for this possibility by implementing SCCs, naming the UK as a non-EU importer for EU-UK transfers, to take effect at the expiry of the Brexit transition period. While the current SCCs are a dated tool, and are in the process of being replaced, for now they are likely to be the most pragmatic solution.
Transfers from the UK to the EU
Transfers from the UK to the EU do not require a transfer mechanism. The UK government has already recognized EU Member States as adequate, and adopted the EU’s existing adequacy determinations. Accordingly, transfers from the UK to countries such as Israel, Canada and Japan (among others) do not require a transfer mechanism following Brexit.
Transfers from the UK to the US and other non-adequate countries
Transfers from the UK to the US and to other non-adequate countries will continue to require a data transfer mechanism, just as they did when the UK was an EU Member State. It should be noted, however, that EU laws (like the GDPR) have become part of UK law, and decisions of the CJEU handed down before 31 December 2020 remain authoritative and binding in the UK as part of retained EU law. Accordingly, Schrems II remains part of UK law and the Privacy Shield continues to be invalid in the UK. Finding a replacement for the Privacy Shield appears to be a priority for President Biden’s new administration, and it seems likely that the UK would seek to adopt any new arrangement that is negotiated between the EU and the US. Similarly, when the European Commission adopts its new SCCs, the UK is likely to adopt a broadly similar approach in adopting its own SCCs.
Impact of Schrems II
Organizations utilizing SCCs should note that following Schrems II they must undertake (and document) a data transfer risk assessment, and add supplemental contractual provisions as necessary to mitigate the risk of government access to EU personal data, and to ensure individuals’ rights in relation to their personal data are respected. Further, EU regulators have signaled that significantly greater detail will be expected when implementing data transfer mechanisms, and that the days of generic, broadly drafted, catch-all SCCs are unlikely to withstand scrutiny. A more granular approach can be seen in the European Commission’s proposed replacement SCCs.
Additional Brexit considerations
The UK’s departure from the EU has other consequences for data protection, in addition to data transfer issues. With effect from 1 January 2021, the UK is a ‘third country’ for the purposes of the GDPR, and the one stop shop mechanism no longer applies. Organizations therefore face the possibility of enforcement by the Information Commissioner’s Office as well as enforcement by European supervisory authorities for infringement of the GDPR, for example, in the event of a data breach.
In addition, organizations in the UK will remain subject to the EU GDPR by virtue of Article 3(2) where they process personal data in the context of offering goods or services to data subjects in the EU, or monitoring their behavior. UK organizations that continue to do business in the EU may well find that they must continue to comply with the EU GDPR, as well as the UK GDPR. For now, the laws are essentially the same, but that position may change, whether intentionally or inadvertently. UK organizations that continue to process EU personal data from the UK will also need to assess whether they must appoint an EU representative, under Article 27 of the GDPR. Similarly, EU organizations continuing to process UK personal data will need to consider whether they are subject to the UK GDPR by virtue of Article 3(2) of the UK legislation, and whether to appoint a UK representative.
Prioritising transfer remediation tasks
Given the complexity and legal uncertainty in relation to data transfers, organizations must ensure they understand the detail of their data transfers, including transfers to and from other group entities, customers and vendors. With those facts to hand, transfers from the EU to the UK should be identified and prioritised for remediation. Alongside EU-UK transfers, UK-US transfers that previously relied on the Privacy Shield should also be prioritised. Transfers that rely on SCCs must also include a Schrems II transfer risk assessment and additional contractual safeguards. All of these steps should be undertaken on the understanding that they will be an interim step, given the likelihood that the Privacy Shield will be replaced, and that new SCCs will need to be implemented.
Brexit aside, data transfers have long been a complex and challenging issue. Now that data protection regulators, prompted by privacy activists such as Mr. Schrems, are actively enforcing compliance with data transfer restrictions, this is an area that requires ongoing attention.