How UK enterprises might protect EU citizen data post-Brexit

Brexit - Britain, European Union divided flags

It’s a data protection horror story. Come Halloween night 2019, the UK is due to leave the European Union without a withdrawal agreement.

This no-deal Brexit will see the EU no longer treat the UK as an equal in the Union but like any other country with which it has no formal agreements. That includes how it deals with data protection around of information about EU citizens.

A recent study by UCL found that some 75% of the UK’s international data flows are with the EU and concluded that disruption to EU-UK data flows will be “extremely damaging” for UK businesses. However, in the current and most likely scenario, those data flows are likely to be disrupted and UK companies will need to make rapid changes.

However, enterprises can put in place certain mechanisms and agreements to ensure any data they receive from the European Economic Area (EEA) into the UK is still compliant with GDPR.

The UK will be a third country post-Brexit

The now-voted-down withdrawal agreement for the March 2019 exit ensured the UK would have its current GDPR-given adequacy for the two-year transition period. However, that was withdrawn after the planned exit date was moved to October and no further advice has been issued. The current situation looks likely to be a no-deal Brexit. The EU has released a statement confirming it will treat the UK as a “third country” after the withdrawal date until any adequacy decision has been made.

UK organisations only sending data into the EEA will be largely unaffected as the UK Data Protection Act recognises countries that have enacted the GDPR as being adequate from a data protection perspective. However, being a third country means any data flows from the EEA into the UK will be affected and need looking at and new procedures may need putting into place.

The easiest and most common route to ensuring compliant data transfers between the EU and UK is with Standard Contractual Clauses (SCCs): agreements between the parties sending and receiving the data that the companies outside the remit of GDPR are providing the same level of protection citizens could expect in GDPR-compliant countries.

“Standard contractual clauses are a fixed form of wording that you can add to a contract,” explains Helen Goldthorpe, associate at legal firm Shulmans LLP, specialising in commercial and IT law. “The benefits are that it's relatively simple to put in place. Because it is standard wording, it doesn't need too much negotiating and most reputable companies will be relatively comfortable with them.”

There is also the option of Binding Corporate Rules (BCRs), which allow multinational corporations, international organizations, and groups of companies to make intra-organizational transfers of personal data across borders. However, they are more detailed and require approval and auditing from data protection authorities within the EU. According to the UK government, BCRs can cost around £250,000 to set up. Approval from regulators can take anywhere from six to 18 months. It’s also worth noting BCRs would not cover data travelling from cloud providers back to company-owned systems.

“Binding corporate roles are a lot more tailored,” says Goldthorpe. “And if you do them well, they can be quite useful in they are very much tailored to your business. But they're also expensive. And it takes an age to get them approved.”

Standard contractual clauses in practice

SCCs contain a standard set of contractual terms and conditions that obliged companies involved to protect personal data when it leaves the EEA. Failure to put in place data transfer mechanisms but still sending data from the EEA to the UK will mean that company will be liable to contravening GDPR and potentially leave them open to fines.

"SCCs serve as a mechanism through which an EU based legal entity can share personal data outside the EU to countries that are recognised as not being able to offer adequate protection," explains Christine Jackson, Partner, Outsourcing Technology & Commercial, Wright Hassall.

The ICO has published guidance to help organisations work how when they are affected by these rules and provides resources to help companies build SCCs from standardised templates.

"Additional commercial terms may be added provided the essence of the protection embedded in the template remains undisturbed," says Jackson. "Any such amends will attract regulatory scrutiny and the unwelcome reputational harm that is increasingly associated with contravening data protection activity." 

SCCs include clauses around that data will be protected in a way that complies with the GDPR and local data protection laws. Those clauses also require companies to process the data in ways stipulated in the SCC, inform the entity exporting the data of any security incidents involving that data, and more. 

Currently, there are only a limited number of SCCs available -- EEA controller to non-EEA controller or EEA controller to non-EEA processors -- meaning things are more complicated if you controller-processor flows don't fit. While companies can amend the language within SCCs they often can't be completely tailored to meet specific situations and need.

Linda Thielová, Data Privacy Counsel at OneTrust, says because of these limitations organisations are creating 'clunky' workarounds such as having separate contracts with different parts of the data flow supply chain and supplementing SCCs with additional data processing contracts. These supplemental agreements will go into more detail around the specifics of how that business relationship works around issues such as auditing, incident response, and security certification to cover what isn't mentioned in the SSC templates.

"It's a little clunky and it can also be quite a nuisance in terms of relationships with your clients," she says. "That's probably like the biggest pain that we're seeing with the SCCs right now at this point."

European Commissioner Věra Jourová has said that the EU is reviewing SCCs and the expectation is that this will results in more options when it comes to data transfer agreements.

"Everyone's hoping that when this [review] happens the Commission will introduce a wider portfolio of SCCs that would cover more situations that occur; controller to controller, processor to processor etc," says Thielová.

It's also worth noting that while relatively easy to put into place, such agreements should be treated seriously and will mean companies are obliged to ensure both parties are holding up their ends of the contract and not simply agreed to blindly.  

“Standard contractual clauses are the de facto method of transferring data to a non-adequate country or organisation in a non-adequate country,” says Barry Cook, privacy and group data protection officer, VFS Global, an outsourcing company that handles visa and passport issuance-related tasks for governments. “My concern is that it's going to be one of these sign-off things where really it's just a paper exercise.”

“It's OK putting standard contractual clauses in but it's not just a paper exercise,” Cook continues. “You really have to make sure the parties in the contract are capable of abiding to those contractual clauses. And there is an obligation on the sending party to ensure that the receiving party does indeed comply to the standard contractual clauses, and that may involve more intensive auditing.”

It’s also worth noting that a new contract is required for each point-to-point data transfer, which can be a substantial task for a large enterprise. During a House of Commons committee meeting last year, Giles Derrington, then head of policy for Brexit, International and Economics at techUK, said the collapse of Safe Harbor had seen one large company needing to put in place 2 million SCCs in the space of a month to stay compliant. A similar-sized task may be required of large UK companies with a lot transfers in and out of the EEA.

UK adequacy decision may take a while

The likes of SCCs and BCRs are the main options available to UK companies looking to send data from the EU and will remain so until any adequacy decisions are made by the EU. Countries labelled as adequate by the EU are deemed to have enough data protection legislation in place not to require any additional protections such as SCCs put in place by the companies themselves.

Currently, 11 countries have adequacy decisions from the EU, while Canada and the US have partial adequacy (US-EU data transfer is largely covered by Privacy Shield). The fastest adequacy assessment so far has been with Argentina and Japan, which each took around 18 months. South Korea, however, is still currently in discussions to achieve adequacy status despite having started negotiations at the same time as Japan in 2015. Assuming the UK and EU begin discussions over adequacy the day after Brexit on November 1, an adequacy decision may take over a year to appear, if it is made at all, meaning companies should be making preparations and not expecting rapid agreements.

“It is certainly not going to be a ‘Day One’ thing,” says Goldthorpe. “People who don't know how the commission works think it might be done relatively quickly; we have GDPR, nothing's going to change in that respect. But just all the political issues that get factored into any commission decision making, I think will inevitably slow it down.”

Some issues go beyond slow bureaucracy and could delay any adequacy decision. Although the UK’s Data Protection Act brings GDPR into UK law – and the GDPR leaves plenty of scope for countries to govern national security issues around data how they wish – the UK’s Investigatory Powers Act (also known as the “Snooper’s Charter”) and the passing of data to the US, Canada, Australia and New Zealand as part of the ‘Five Eyes’ alliance may present potential stumbling blocks the EU decides they contravene EU citizen’s rights.

“The Snooper’s Charter was held to be inconsistent with what we should have been doing from a data protection point of view,” says Goldthorpe. “So, there is the question as to whether the EU will hold out and say until you fix those issues, we are going to say that you're an inadequate country and you don't have adequate protection.”

However, on the flip side, post-Brexit there is scope for the ICO to start making some of its own decisions about data flows to and from the UK to the rest of the world beyond the EEA. 

"It's possible that the UK will reach adequacy decisions with additional countries beyond the scope of what the EU has done," says OneTrust's Thielová. "It will be interesting to see how far this adequacy decision network will reach."

"It's also possible that if we don't get new SCCs by the time Brexit happens, which is highly likely, it's possible for the ICO to come up with their own version of the SCCs and produces their own template for transferring personal data outside the UK."

Shrems 2.0 puts the future of SCCs in doubt

While SCCs are the best mechanism for post-Brexit data flows at the minute, they could soon become invalidated because of a legal battle by privacy activists. Max Shrems is the privacy activist whose lawsuit against Facebook and how it transferred data from Europe to the US resulted in the US-EU Safe Harbor agreement being thrown out and Privacy Shield being brought in to replace it. With Shrems’ follow-up case – known as ‘Shrems 2.0” – he is still challenging the courts on data transfers. As a result, the Court of Justice of the European Union is now considering whether SCCs are a valid mechanism for transferring personal data out of the EEA.

Whether this would affect all SCCs, just those governing data going to the US, or somewhere in the middle such as those under partial adequacy agreements is unclear. As for what would happen next; some small amendment might need to be made to SCCs in place, or the entire contract system may need to be replaced.

"Unless supervisory authorities can give assurances that such data transfer meets the Schrems conditions," says Wright Hassall's Jackson, "organisations may be deterred from using SCCs until further notice."

"Whilst a definitive answer cannot be given until the European Commission instructs further, if SCCs are invalidated then BCRs, the application of Article 3(2) GDPR or relying on a national adequacy finding, or an independently validated and assessed adequacy finding may be utilised depending on the specific data transfer. We consider it unlikely that the European Commission would seek to apply any decision to invalidate SCCs retrospectively."

A judgment from the court is expected in the first half of 2020, which even if SCCs are completely invalidated will still leave at least a few months where they remain the best and easiest option for UK companies.

“On the face of it, standard contractual clauses are really appealing and the easiest fix,” says Goldthorpe. “In the short term, they probably are. There's a chance that come the end of the year, that route might get closed off. One option could be that you can't use them at all, and in that case, you would expect the commission to try to come up with a replacement form of wording which plugs any holes that the courts have identified.”

Goldthorpe recommends that companies should take the time to understand where data is stored and how it is moving, especially when it comes to flows going into and out of the EEA. That way organisations can understand where the risks are and quickly react to changes around EU requirements.

Companies may also want to rethink where data is stored and how it moves across borders; keeping EEA data within the areas’ borders rather than moving it back into the UK might more sense from a compliance and business perspective. While VFS Global has its global headquarters in Dubai, Cook says the company currently has London as its European base but will have to change where it’s GDPR representative is based post-Brexit and has already moved some applications to data centers in mainland Europe.

Goldthorpe’s final advice is for companies to make sure their GDPR and Data Protection Act compliance is good as it can be to preemptively prevent attracting interest from the ICO. “The ICO doesn't proactively investigate anyone really except perhaps Facebook. Issues tend to come to their attention when there's a problem. So, the more secure your systems are from a general information security point of view, the less likely the ICO is to ever look at it."

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)