Brexit data protection decision uncertainty threatens UK-EU data flows

A no-deal Brexit scenario seems likely, and CISOs will need to adapt policies and procedures if the EU does not declare data protection adequacy for the UK.

Brexit / privacy  >  Binary data + a U.K. umbrella drifting away on a sea branded with an E.U. flag
Egal / Getty Images / Insspirito / Garik Barseghyan

As the COVID-19 crisis begins to ease, the UK can return its focus to negotiating a Brexit deal to leave the European Union before its crashes out at the end of the year. With little sign of any permanent agreements being made, UK organizations with operations in the EU need to prepare to operate under a new set of data protection rules.

Under the Withdrawal Agreement, the transition period runs to December 31, 2020. Until then the requirements around data protection remain the same as before: Data flows between the UK and the EU can continue unhindered, and firms continue to comply with local data protection requirements.

A study by UCL found that around 75% of the UK’s international data flows are with the EU and concluded that disruption to that would be “extremely damaging” for UK businesses. If the UK leaves under a no-deal scenario without a data protection deal or decision that UK provides adequate data protections, it will become a “third country” and data flows will no longer be allowed without additional legal instruments such as standard contractual clauses (SCCs).

“The UK-EU trade talks have been characterised by a desire to seem willing to walk away without a deal, but it’s difficult to know how far that reflects reality, and how far it’s just a negotiating tactic,” says Camilla Winlo, director of consultancy at privacy and data protection consultancy DQM GRC. “Whilst it’s impossible to know how much of this is real and how much is bluster, it is very far from certain that the UK will leave the EU with a trade deal that covers digital trade and data protection.”

Digital trade is just one of 34 areas under negotiation. The EU task force has outlined its post-Brexit vision in a draft agreement, saying it is committed to facilitating digital trade with unrestricted data flows as long as the UK recognises that the protection of personal data and privacy is a fundamental right.

“The draft trade agreement includes little more than an acknowledgement that digital trade and data protection are important, and that both sides need to maintain good standards,” says Winlo. “However, it does not state that the UK will be granted adequacy.”

What negotiators have said publicly on data protection in the context of law enforcement is not encouraging. In May Michel Barnier, European Commission's head of task force for relations with the UK, said that the UK “insists on lowering current standards and deviating from agreed mechanisms of data protection.”

The European Data Protection Supervisor has recommended that the EU “take steps to prepare for all eventualities,” including where the adequacy decisions are made but not be adopted within the transition period, where no adequacy decision is granted, or there is only a partial agreement. Germany has also called for the EU to draw up plans for “no deal 2.0.”

“Organisations should be prepared for the UK not to receive an adequacy decision, particularly if no trade deal is agreed,” says Winlo.

No data protection adequacy could mean no data flows

In lieu of a deal to allow the UK membership to the EU’s digital single market, the EU would ideally grant the UK an adequacy decision before the end of the transition phase. The UK and EU have previously said they are “committed to ensuring a high level of personal data protection to facilitate such flows between them” and hope to have made agreements by the end of the transition period. While the EU has said the Commission expects to finalise adequacy assessment by the end of 2020, a decision is not guaranteed even if the assessment is completed in time.

The UK’s data protection regulation mirrors the EU’s and the UK has said protecting personal data “is and will continue to be a priority” in its own policy papers advocating for EU adequacy. However, the Investigatory Powers Act (also known as the “Snooper’s Charter”) and the UK’s membership in the Five Eyes alliance may also affect the granting of an adequacy decision if the EU decides they infringe on EU citizens' rights or if the EU fears such data will be passed to countries without an adequacy decision. The UK Government was also recently accused of “behaving like a bunch of cowboys” after copying information from the EU’s Schengen Information System, which could further impact any adequacy decisions. The UK House of Lords has published a report warning the UK risks not gaining an adequacy decision and urged the UK Government to act quickly to “give businesses in the UK and EU legal certainty and time to prepare.”

Standard contractual clauses and binding corporate rules, though expensive and time-consuming to implement, remain the best option for UK organizations operating in Europe to ensure compliant data flows post-Brexit whether or not a deal is struck or adequacy is granted. Companies not already undergoing SCC implementation will need to hurry to be compliant in time, and companies that have implemented them will need to ensure ongoing compliance with their requirements.

Though the validity of SCCs was upheld in court after a challenge by activist Max Shrems, the European Court of Justice warned that SCCs should not be valid where the data being sent to a country or company where it may be subject to mass surveillance without controls the EU deems necessary. Given the CJEU ruled in October that the UK's bulk data collection or retention regime – despite being conducted in the name of ‘national security’ – must comply with EU law and subject to its privacy safeguards after a legal challenge by Privacy International, both adequacy and valid SCCs could be out of the UK's reach. 

EU data protection adequacy may come and go

A recent UCL policy paper predicts the UK will be granted an adequacy decision, but the EU-UK data flows relationship “will be complex and could remain unresolved for years.” The paper warns that EU adequacy would be an “unstable arrangement” that could be affected or even invalidated if challenged in court, or the UK either deviates from EU legislation or “significantly liberalizes” data flows with the US in a future trade agreement.

Prime Minister Boris Johnson has said that the UK will “develop separate and independent policies in areas such as ….data protection, maintaining high standards as we do so,” despite the EU warning “substantial deviation would be [an] obstacle” toward granting adequacy.

The US tends to favour unrestricted data flows in trade deals, which the EU could see as an issue if the UK tries to move away from Privacy Shield. At the same time Secretary of State for International Trade Liz Truss has said that the UK is looking to create  a “very advanced digital and data chapter” with the 11 Pacific nations of Comprehensive and Progressive Agreement for Trans Pacific Partnership (CPTPP) including Japan, Mexico, Canada, Chile, Australia and New Zealand. As with the US, agreeing digital single markets with many of those nations could jeopardize EU adequacy.

“The UK has significantly more state surveillance than many other European countries, and it has taken a different approach to enforcement than many other EU countries -- resulting in a lower number of fines [from the ICO],” says Winlo.

The UK could pursue a Privacy Shield-type agreement with the EU that would allow individual companies to receive data from the EU if they meet certain conditions. Such an agreement could take even longer than an adequacy decision and the current model is under threat due to legal challenges from both Max Shrems and the La Quadrature du Net.

Best data protection advice about Brexit

Whatever happens, the UK is unlikely to make significant alterations to its data protection requirements in the short term. This could change as the EU updates its data protection rules or if the UK aligns closer to other trading partners such as the US.

The UK Data Protection Bill 2018, PECR and the NIS Regulation will continue to apply after the UK has left the EU, deal or no deal. While eIDAS Regulation will no longer apply, the ICO says the government plans to bring that into UK law in the future.

In a no-deal scenario, data flows from the UK into Europe, or from the US into the UK, will remain unaffected. If they haven’t already, UK companies sending data to the US under the Privacy Shield agreement (and US organisations receiving data from the UK under Privacy Shield) should update the wording of their Privacy Shield privacy policies.

In the ‘no deal, no adequacy’ scenario, firms receiving data from the EU will need to appoint a member state representative within the EU, as will EU firms sending data to the UK. As with the rush for data protection officers (DPOs) during GDPR’s implementation, there may be a shortage of people to appoint.

“With hundreds of thousands of companies trading between the UK and EU, there is a risk of a looming capacity crunch in the availability of these representatives,” warns DQM’s Winlo. “Any organisation that cannot make an internal appointment will need to outsource to a data privacy specialist, and each one of these will only be able to take on a certain number of clients. All of this requires organisations to make sure they have mapped out and understood their data flows, and the pros and cons of the choices available to them.”

Failure to put in place data transfer measures and send data from the European EconomicArea (EEA) to the UK will make that company liable to contravening GDPR and open to fines.

Moving certain operations or data systems to the EU and not having any personal information of EU citizens sent the UK avoids compliance issues. VFS Global, an outsourcing company that handles visa and passport issuance-related tasks for governments, transferred staff and data centres from the UK to mainland Europe last year as a result of Brexit uncertainty.

Winlo advises that companies update their data flow maps to understand where data is located and how it is processed, identify whether you will need to appoint representatives in the EU and UK, update business continuity planning, liaise with partners in the EU where needed, and make decisions as early as possible to ensure the right safeguards are included.

“It’s rarely wise to let the regulatory tail wag the operational dog,” Winlo says. “Be prepared for change. With so much uncertainty, it’s wise to ensure that your plans are flexible and allow scope for a trade deal to be agreed or not, and an adequacy decision to be agreed or not. In many cases, you will be able to manage your risks by making choices that will be compliant regardless of what happens. The more of these you can make, and the earlier you can make them, the more resilient your organisation will become.”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)