With the Court of Justice of the European Union (CJEU) striking down the Privacy Shield agreement, the UK faces the double whammy of preparing for Brexit and dealing with the possibility of limited legal options for sending and receiving data to and from the EU and US. The CJEU\u2019s decision could signal further issues for the EU granting the UK adequacy and ensuring seamless data flows between the two, which could be compounded further if the UK tries to strike a data agreement with the US.UK-US data flows post-Brexit, sans Privacy ShieldPrior to the CJEU decision, UK-US data flows were due to be relatively uncomplicated post-Brexit. The UK was to continue to be part of Privacy Shield and allow data flows from the UK to participating companies in the US, with participating companies needed only to updating the wording of their agreement to include the UK. This was due to be separate and unrelated to any adequacy decision from the EU. Data transfers from the US into the UK remain unaffected and unrestricted due to the fall of Privacy Shield or Brexit.Given the likely scenario of a no-deal Brexit without any adequacy decision, organisations looking to send data from the UK to the US will have to rely on standard contractual clauses (SCCs) to send personal data from EU or UK citizens to the US. The CJEU\u2019s ruling requires that Data Protection Authorities take a closer look at SCCs where data goes to countries with strict surveillance regimes and block those flows where necessary. UK companies may find limited options for receiving data from the EU.\u201cThis judgment signals that reliance on the SCCs will be subject to much greater levels of scrutiny, and that additional safeguards may need to be implemented to supplement the SCCs,\u201d says Bridget Treacy, data privacy partner at law firm Hunton Andrews Kurth. \u201cEU data protection authorities will be expected to be more proactive in enforcing these requirements, suspending transfers if necessary.\u201dUS companies that have their European bases in the UK might consider new lead locations within the EU to handle processing and sending of EU-related data. \u201cUK data protection law post-Brexit will provide for the same protections for personal data relating to EU citizens as it does for UK citizens, and the court\u2019s ruling will apply in the UK post-Brexit,\u201d says Treacy. \u201cAs such, EU-based organisations will not be able to skirt the ruling by first transferring personal data to the UK prior to its transfer to the US.\u201dBinding corporate rules (BCRs) are also an option but will only be realistic for large enterprises due to their cost, complexity and time needed to implement. The European Data Protection Board (EDPB) recently updated its guidance on BCRs and Brexit, saying companies with BCRs that have the ICO as its lead authority will have to appoint a new lead authority within the European Economic Area (EEA) and may need to update them if they contain references to UK law.A new version of Privacy Shield\/Safe Harbor is a possible option. European Commission Vice President for Values and Transparency V\u011bra Jourov\u00e1 and Justice Commissioner Didier Reynders said they are in talks with the US about what happens next, and that they \u201cwill not be starting from scratch,\u201d and \u201can updated tool will be fully in line\u201d with the Schrems II ruling.While staying in line with or directly adopting Privacy Shield 3 would ensure smooth relations with the US and EU, it may still face similar legal challenges from privacy activists to the ones that brought down the previous agreements. Whether a new agreement could be implemented before the UK leaves the EU is unclear.According to a survey by law firm Fieldfisher, the majority of organisations say they will continue to use US-based or non-EEA\/non-UK data processors in the light of the Shrems II case, 12% of organisations plant to reduce data transfers, while 30% are undecided. The CJEU expects organisations to conduct case-by-case risk assessments for each non-EEA data transfer in which they engage, yet according to the survey 40% do so or will do so for large for sensitive transfers out of the EEA. As to next steps, just over half of organisations that relied on Privacy Shield plan to proactively contact processors and ask them to move to SCCs, while a little over a third are waiting for more regulatory guidance before acting.EU\u2019s view of US surveillance jeopardizes UK adequacyPost-Brexit, the UK is hoping to gain adequacy status. This would guarantee uninterrupted data flows between the UK and EEA and show the EU believes the UK\u2019s data protection regime is on par with its expectations.However, adequacy is far from guaranteed given the UK\u2019s membership in Five Eyes, its agreement with the US around law enforcement data sharing under the CLOUD Act, and its own surveillance environment under the Investigatory Powers Act (IPA). Recent SNAFUs around its handling of shared databases don\u2019t help, either. The IPA was amended recently, however, to require more authorisation steps for law enforcement to intercept data.Privacy Shield was toppled due to the surveillance regime within the US, so adequacy ambitions will be likely be dented further by the CJEU\u2019s decision. Though it was unlikely to be either side\u2019s preference, it also dents any hopes for a partial agreement in the vein of Privacy Shield between the UK and EU.\u201cThe ruling on data privacy in Europe\u2019s highest court has significant implications for Brexit,\u201d says Ben Rapp, founder and principal of data privacy consultancy Securys. \u201cThe UK, like the US, conducts mass surveillance, under the Investigatory Powers Act or \u2018Snoopers\u2019 Charter\u2019.\u201d He believes EU authorities might feel pressured to restrict data transfers to the UK when the UK fully leaves the EU in December 2020. \u201cAs Herwig Hoffman, one of the lawyers who presented the case to the European Court of Justice, says, \u2018There can be no transfer of data to a country with forms of mass surveillance.\u2019\u201dWithout adequacy, the UK will be reliant on SCCs to receive data from the EU. If SCCs are subject to closer inspection from EU DPAs and shut down where they believe there is a risk to EU citizen data, the same surveillance regime that prevented adequacy may cause issue for some companies. \u201cThe ruling on the Privacy Shield is likely to have implications for the UK\u2019s hopes for a post-Brexit data protection adequacy ruling from the European Commission,\u201d says Treacy. \u201cThe UK can expect its surveillance laws to be subject to similar scrutiny to those of the US, to assess whether they respect the privacy rights of EU citizens.\u201dAs Brexit day approaches, the likelihood of a deal or adequacy decision looks increasingly slim. In October the Court of Justice of the European Union (CJEU) ruled that the UK, French, and Belgian bulk data collection or retention regimes \u2013 even those being conducted in the name of \u2018national security\u2019 \u2013 must comply with EU law and subject to its privacy safeguards after a legal challenge to mass data collection was brought around by Privacy International. This ruling may be a further blow to the UK\u2019s hopes of adequacy, especially if the Government decides not to change its data collection policies after leaving the EU.Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, recently warned the EU Commission that the UK \u201clacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects\u2019 rights\u201d and that the personal data of data subjects in the Union\u201d do not at present have an adequate level of protection in the UK.\u201dMeanwhile, the House of Lords has published a report warning the UK risks not gaining an adequacy decision and urged the UK Government to act quickly to \u201cgive businesses in the UK and EU legal certainty and time to prepare.\u201dUK-US relations might hurt UK-EU relationsCurrent UK and US agreements around data have caused concern in the EU. Any further attempts at ensuring smooth data flows with the US without proper controls in place could impact UK-EU data flows further. \u201cIn making an adequacy ruling for the UK, the European Commission would consider, among other things, the ability for organisations to transfer personal data from the UK to countries that do not provide an adequate level of protection in the eyes of the EU, such as the US\u201d says David Dumont, data privacy partner at Hunton Andrews Kurth. \u201cAs such, the ability for UK organisations to continue to transfer personal data to the US without appropriate safeguards in place that are satisfactory to the EU would likely have implications for any UK adequacy decision.\u201dThe UK agreeing to send data for law enforcement purposes under the CLOUD Act was cited as a concern by the EDPB. In an open letter to MEPs, it said the EDPB had doubts as to whether safeguards around personal data in the UK would be applied. \u201cWhen it comes to a possible adequacy decision for the UK, the EDPB considers that the agreement concluded between the UK and the US will have to be taken into account by the European Commission,\u201d the letter read.The US Department of Commerce has said it will continue to administer the Privacy Shield program, including maintaining the Privacy Shield list and processing submissions for self-certification and re-certification. This potentially provides an avenue for the UK to re-adopt Privacy Shield post-Brexit and ensure at least some continuity around data flows after December 31. Such a move would require a change in law and inevitably impact UK-EU relations.\u201cGiven that the full EU exit is just around the corner, the UK could continue to use Privacy Shield for transfers to the US,\u201d says Rapp, \u201cbut that would pretty much kill off any hope of the UK being able to have a free flow of data with the EEA under an adequacy agreement.\u201dHow to prepare for Brexit without Privacy Shield or adequacyThe UK ICO says it is reviewing guidance and advises that if you are currently using Privacy Shield, continue to do so until new guidance becomes available, but do not start to use Privacy Shield during this period. Dumont recommends that UK organisations that were reliant on Privacy Shield should implement new data transfer mechanisms now: SCCs, BCRS or derogations under the GDPR such as where the transfer is necessary to perform a contract.\u201cWhere standard contractual clauses are chosen as the new mechanism, UK companies will need to assess the data transfer and determine whether, in light of the nature of the data transferred and the recipient\u2019s exposure to the US surveillance regime, whether there is in fact an adequate level of protection for the personal data transferred,\u201d says Dumont.US organisations receiving data from the UK should also be quickly looking at replacement mechanisms such as SCCs but be ready to answers more questions from UK and EU partners. \u201cUS companies should be prepared to respond to questions from UK exporters as to their exposure to the US surveillance regime and consider any technical safeguards (such as encryption) that could be implemented to ensure an adequate level of protection,\u201d says Dumont.