Moving EU personal data across EU boundaries - After Brexit Transition ends, will EU regulators trust you to look after it?

Written By:
Content Copyright © 2020 Bloor. All Rights Reserved.
Also posted on: Bloor blogs

Now that the UK is threatening to break international law and go back on its negotiated EU Withdrawal treaty, businesses need to be aware of the possible consequences. There are, in my opinion, existential business resilience issues arising if the EU ceases to trust the UK legal environment – and possible EU sanctions could make some business processes impossible.

Consider international data transfers, for example, which are a part of the business process for many global enterprises. Increasingly, there are special legal provisions surrounding the transfer of “personal data” across national boundaries, in case the destination’s privacy laws are less exacting (or less well enforced) than the owner of the data in the originating country would expect. I will talk about GDPR issues here, but similar regulations, often based on GDPR, are being enacted throughout the world, so it is not just the EU you have to worry about.

In the EU context, if I collect lots of data about identifiable French customers, say, in France I can’t simply ship it over to the USA, for analytics processing, for example, unless the EU data protection regulators accept that the USA will respect the privacy of the personal data of French customers just as much as France does. And, in general, they don’t, which is why many international companies set up EU subsidiaries, which hold the data of EU citizens on databases in EU-located data centres. Even so, accessing these EU data centres from a PC located in the USA will be illegal if any EU personal data is transferred for processing on the US PC – even temporally (in part, because US spooks seem to have have unfettered access to any data being processed in the USA).

GDPR implements the EU data protection law. The UK (which is outside the EU) can’t simply enact a version of GDPR and claim that its privacy standards are “world beating” and quite good enough for the EU. The EU has to formally accept that UK privacy provisions are “adequately” equivalent to those in the EU – with what the EU calls an “Adequacy Decision” – or, as I understand it, a French citizen who is a customer of an Oxford St shop can bring a legal action against the shop, if it stores or processes her personal data outside of the EU (i.e. in London), without appropriate protection.

Discussions on the adequacy of UK data protection law have already started and might be finished by 1st Jan 2021 – the UK Information Commissioners Office (ICO) will keep us informed .But we might not get an adequacy decision before transition ends and if any of this might impact your business, please take appropriate legal advice (and/or talk to the ICO) sooner rather than later; don’t rely on “common sense” or “experts” on social media.

The UK is in the transition period during 2020 so none of this has impacted us yet – we are treated as if we were still in the EU. This ends at the start of 2021, when we will be treated just like any other non-EU country (depending a bit on any “exit deal” we manage to negotiate). So, we should look at the USA situation, which is probably what we’ll be in (except that the USA is a lot further away from the EU than UK is and proximity probably affects the volume of data transfers).

You may have heard that there are ways around these EU data transfer privacy issues – the US Privacy Shield scheme and (more expensive and more complex) Standard Contractual Clauses. Unfortunately, the EU has decided that Privacy Shield is inadequate so you can forget about that one; and EU Data Protection has teeth and “while last July’s ruling did not strike down the Standard Contractual Clauses (SCCs) used as opt-outs by many companies, it seems likely that will come under the gaze of the courts before long”. Here.

If you think that this is all scare mongering and isn’t going to matter in practice, note that the Irish Data Protection Commission has just sent Facebook a preliminary order to suspend the transfer of EU citizens’ data to the US. Obviously, that raises potential issues for EU companies trading or operating in the USA; and for US companies operating or trading in the EU.

Here’s where the business resilience issue for UK companies trading with the EU comes in. Starting in 2021, we are in the same position relative to the EU as the USA is:

  • If you do business in the EU or with EU citizens and currently process or store the personal data of EU citizens in the UK, then there is a risk that we won’t get a GDPR adequacy decision at the end of 2020 and you’ll have to stop.
  • If you want to risk the EU not noticing that you are still doing transferring personal data across the EU border or storing EU personal data outside of the EU then remember that the potential fines and other sanctions are huge (to say nothing of possible reputation loss) and could put you out of business.
  • The EU probably won’t be proactively looking at smaller companies – but any disgruntled EU citizen customer could make life very difficult for you.
  • There are potentially existentialist risks appearing that I think that your Business Resilience strategy should deal with.

This data transfer privacy issue has been around for years (the Institute of Directors has been highlighting it for some time) so why bring it up now especially?

Well, in part, because I only meet a few people who seem to appreciate this issue (and they are very worried about it); the majority of people I meet have never thought about GDPR’s impact on data transfers with the EU post-Brexit much, if at all.

Mainly, however, because the best way out of this issue for the UK is obtaining a GDPR Adequacy Agreement from the EU, which means that the EU trusts the UK not only to put the equivalent of EU GDPR into UK law but also to enforce it. We have just, however, threatened to break international law in order to change the Withdrawal Agreement we signed with the EU and the EU is threatening sanctions and legal action against us as a result. Not much trust left there then.

In my opinion, there is a real possibility that we now won’t get an Adequacy Decision from the EU (by 2021 anyway), an opinion which seems to be shared in the European Commission. Which means that UK firms should now be assessing whether they have any data transfers that might need one ASAP; and coming up with contingency plans if there is an issue. Merely relying on the goodwill of the EU is looking increasingly risky.