What the end of Privacy Shield, Brexit mean for UK-US data flows

With the Court of Justice of the European Union (CJEU) striking down the Privacy Shield agreement, the UK faces the double whammy of preparing for Brexit and dealing with the possibility of limited legal options for sending and receiving data to and from the EU and US. The CJEU’s decision could signal further issues for the EU granting the UK adequacy and ensuring seamless data flows between the two, which could be compounded further if the UK tries to strike a data agreement with the US.

UK-US data flows post-Brexit, sans Privacy Shield

Prior to the CJEU decision, UK-US data flows were due to be relatively uncomplicated post-Brexit. The UK was to continue to be part of Privacy Shield and allow data flows from the UK to participating companies in the US, with participating companies needed only to updating the wording of their agreement to include the UK. This was due to be separate and unrelated to any adequacy decision from the EU. Data transfers from the US into the UK remain unaffected and unrestricted due to the fall of Privacy Shield or Brexit.

Given the likely scenario of a no-deal Brexit without any adequacy decision, organisations looking to send data from the UK to the US will have to rely on standard contractual clauses (SCCs) to send personal data from EU or UK citizens to the US. The CJEU’s ruling requires that Data Protection Authorities take a closer look at SCCs where data goes to countries with strict surveillance regimes and block those flows where necessary. UK companies may find limited options for receiving data from the EU.

“This judgment signals that reliance on the SCCs will be subject to much greater levels of scrutiny, and that additional safeguards may need to be implemented to supplement the SCCs,” says Bridget Treacy, data privacy partner at law firm Hunton Andrews Kurth. “EU data protection authorities will be expected to be more proactive in enforcing these requirements, suspending transfers if necessary.”

US companies that have their European bases in the UK might consider new lead locations within the EU to handle processing and sending of EU-related data. “UK data protection law post-Brexit will provide for the same protections for personal data relating to EU citizens as it does for UK citizens, and the court’s ruling will apply in the UK post-Brexit,” says Treacy. “As such, EU-based organisations will not be able to skirt the ruling by first transferring personal data to the UK prior to its transfer to the US.”

Binding corporate rules (BCRs) are also an option but will only be realistic for large enterprises due to their cost, complexity and time needed to implement. The European Data Protection Board (EDPB) recently updated its guidance on BCRs and Brexit, saying companies with BCRs that have the ICO as its lead authority will have to appoint a new lead authority within the European Economic Area (EEA) and may need to update them if they contain references to UK law.

A new version of Privacy Shield/Safe Harbor is a possible option. European Commission Vice President for Values and Transparency Věra Jourová and Justice Commissioner Didier Reynders said they are in talks with the US about what happens next, and that they “will not be starting from scratch,” and “an updated tool will be fully in line” with the Schrems II ruling.

While staying in line with or directly adopting Privacy Shield 3 would ensure smooth relations with the US and EU, it may still face similar legal challenges from privacy activists to the ones that brought down the previous agreements. Whether a new agreement could be implemented before the UK leaves the EU is unclear.

According to a survey by law firm Fieldfisher, the majority of organisations say they will continue to use US-based or non-EEA/non-UK data processors in the light of the Shrems II case, 12% of organisations plant to reduce data transfers, while 30% are undecided. The CJEU expects organisations to conduct case-by-case risk assessments for each non-EEA data transfer in which they engage, yet according to the survey 40% do so or will do so for large for sensitive transfers out of the EEA. As to next steps, just over half of organisations that relied on Privacy Shield plan to proactively contact processors and ask them to move to SCCs, while a little over a third are waiting for more regulatory guidance before acting.

EU’s view of US surveillance jeopardizes UK adequacy

Post-Brexit, the UK is hoping to gain adequacy status. This would guarantee uninterrupted data flows between the UK and EEA and show the EU believes the UK’s data protection regime is on par with its expectations.

However, adequacy is far from guaranteed given the UK’s membership in Five Eyes, its agreement with the US around law enforcement data sharing under the CLOUD Act, and its own surveillance environment under the Investigatory Powers Act (IPA). Recent SNAFUs around its handling of shared databases don’t help, either. The IPA was amended recently, however, to require more authorisation steps for law enforcement to intercept data.

Privacy Shield was toppled due to the surveillance regime within the US, so adequacy ambitions will be likely be dented further by the CJEU’s decision. Though it was unlikely to be either side’s preference, it also dents any hopes for a partial agreement in the vein of Privacy Shield between the UK and EU.

“The ruling on data privacy in Europe’s highest court has significant implications for Brexit,” says Ben Rapp, founder and principal of data privacy consultancy Securys. “The UK, like the US, conducts mass surveillance, under the Investigatory Powers Act or ‘Snoopers’ Charter’.” He believes EU authorities might feel pressured to restrict data transfers to the UK when the UK fully leaves the EU in December 2020. “As Herwig Hoffman, one of the lawyers who presented the case to the European Court of Justice, says, ‘There can be no transfer of data to a country with forms of mass surveillance.’”

Without adequacy, the UK will be reliant on SCCs to receive data from the EU. If SCCs are subject to closer inspection from EU DPAs and shut down where they believe there is a risk to EU citizen data, the same surveillance regime that prevented adequacy may cause issue for some companies. “The ruling on the Privacy Shield is likely to have implications for the UK’s hopes for a post-Brexit data protection adequacy ruling from the European Commission,” says Treacy. “The UK can expect its surveillance laws to be subject to similar scrutiny to those of the US, to assess whether they respect the privacy rights of EU citizens.”

As Brexit day approaches, the likelihood of a deal or adequacy decision looks increasingly slim. In October the Court of Justice of the European Union (CJEU) ruled that the UK, French, and Belgian bulk data collection or retention regimes – even those being conducted in the name of ‘national security’ – must comply with EU law and subject to its privacy safeguards after a legal challenge to mass data collection was brought around by Privacy International. This ruling may be a further blow to the UK’s hopes of adequacy, especially if the Government decides not to change its data collection policies after leaving the EU.

Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, recently warned the EU Commission that the UK “lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights” and that the personal data of data subjects in the Union” do not at present have an adequate level of protection in the UK.”

Meanwhile, the House of Lords has published a report warning the UK risks not gaining an adequacy decision and urged the UK Government to act quickly to “give businesses in the UK and EU legal certainty and time to prepare.”

UK-US relations might hurt UK-EU relations

Current UK and US agreements around data have caused concern in the EU. Any further attempts at ensuring smooth data flows with the US without proper controls in place could impact UK-EU data flows further. “In making an adequacy ruling for the UK, the European Commission would consider, among other things, the ability for organisations to transfer personal data from the UK to countries that do not provide an adequate level of protection in the eyes of the EU, such as the US” says David Dumont, data privacy partner at Hunton Andrews Kurth. “As such, the ability for UK organisations to continue to transfer personal data to the US without appropriate safeguards in place that are satisfactory to the EU would likely have implications for any UK adequacy decision.”

The UK agreeing to send data for law enforcement purposes under the CLOUD Act was cited as a concern by the EDPB. In an open letter to MEPs, it said the EDPB had doubts as to whether safeguards around personal data in the UK would be applied. “When it comes to a possible adequacy decision for the UK, the EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission,” the letter read.

The US Department of Commerce has said it will continue to administer the Privacy Shield program, including maintaining the Privacy Shield list and processing submissions for self-certification and re-certification. This potentially provides an avenue for the UK to re-adopt Privacy Shield post-Brexit and ensure at least some continuity around data flows after December 31. Such a move would require a change in law and inevitably impact UK-EU relations.

“Given that the full EU exit is just around the corner, the UK could continue to use Privacy Shield for transfers to the US,” says Rapp, “but that would pretty much kill off any hope of the UK being able to have a free flow of data with the EEA under an adequacy agreement.”

How to prepare for Brexit without Privacy Shield or adequacy

The UK ICO says it is reviewing guidance and advises that if you are currently using Privacy Shield, continue to do so until new guidance becomes available, but do not start to use Privacy Shield during this period. Dumont recommends that UK organisations that were reliant on Privacy Shield should implement new data transfer mechanisms now: SCCs, BCRS or derogations under the GDPR such as where the transfer is necessary to perform a contract.

“Where standard contractual clauses are chosen as the new mechanism, UK companies will need to assess the data transfer and determine whether, in light of the nature of the data transferred and the recipient’s exposure to the US surveillance regime, whether there is in fact an adequate level of protection for the personal data transferred,” says Dumont.

US organisations receiving data from the UK should also be quickly looking at replacement mechanisms such as SCCs but be ready to answers more questions from UK and EU partners. “US companies should be prepared to respond to questions from UK exporters as to their exposure to the US surveillance regime and consider any technical safeguards (such as encryption) that could be implemented to ensure an adequate level of protection,” says Dumont.