Recent court rulings have cast doubt on how GDPR data transfer rules will work post-Brexit. Iain Bourne looks at what is happening and what UK businesses can do to prepare.
Just a year ago sending and receiving data all seemed so straightforward. After full departure from the EU, the UK would continue to implement the GDPR, the UK would automatically achieve ‘adequacy’ and it would be business as usual in terms of international data flows to or from the UK. At least, that is what most data protection commentators had assumed. However, things look very different now due to several different but interrelated issues.
Max Schrems, an Austrian privacy campaigner, was largely responsible for the invalidation of the ‘Safe Harbor’ scheme in 2015. Safe Harbor used to allow the transfer of personal information from the EU to companies in the US that had signed up to the scheme and had implemented EU-type data protection for the transferred data. Then Safe Harbor was replaced by the strengthened Privacy Shield, which again was struck down by the European Court of Justice (ECJ) earlier this year as the result of another case brought by Schrems.
The 'Schrems II' judgement also suggested that Standard Contractual Clauses – an alternative means of legitimising the transfer of personal information from the EU to a recipient organisation in a third country – may also be inadequate because of the clauses’ failure to guarantee the protection of the information from the US intelligence services. A big ask. Data protection commentators have also suggested that the judgement may invalidate EU-Switzerland data transfer mechanisms, too.
Exchanging personal data
Unfortunately for the very many organisations in the UK and the EU that are dependent on the exchange of personal information with the US, neither of the relevant judgements make it clear how organisations should legitimise their data transfers. As judges should do, they interpreted and applied the relevant law. It was not their job to find solutions to the problems their ruling would inevitably cause. That is the job of the regulator.
However, neither UK nor EU data protection agencies’ guidance make it clear how – or whether – EU to US data exchanges can continue to take place. The problem has been confounded by a recent decision of the Conference of Independent German Federal and State Data Protection Supervisory Authorities. It said that the use of Microsoft Office 365 is in contravention of German – and presumably EU – data protection law, largely because of data transfer / cloud issues. It seems that in the EU (and other places too) data localisation may be winning the day.
Now the Court of Justice of the European Union (CJEU) has ruled that the information gathering capabilities of several EU countries’ national security agencies’ – including the UK and France – are incompatible with the requirements of the GDPR. (This is odd as the GDPR does not apply to the processing of personal information carried out for UK national security purposes.) However, it will be interesting to see whether the UK government takes the necessary measures to bring GCHQ et al in line with this judgement. That is probably rather unlikely.
UK adequacy decision now in doubt
The GDPR makes it clear that in assessing UK adequacy – as it presumably is doing now – the European Commission (EC) must consider not just data protection standards but other factors including national security legislation. So, if the CJEU considers that the UK’s national security information gathering arrangements are illegal and the EC is bound by the CJEU, then it is difficult to see how the UK could achieve ‘adequacy’ – unless it changes these arrangements and ultimately diminishes the UK intelligence agencies’ information collection and analysis capacity.
Commissioner Jourová, Vice President of the European Commission for Values and Transparency, said recently: “I cannot predict now whether it will be so easy and without any further negotiations needed for the possible adequacy decision because we do not know whether or not the UK will introduce some changes in their national legislation which might deviate from the general line of the general data protection regulation.”
This suggests that unless the UK’s future data protection law replicates the basic structure and concepts of the GDPR, it will not achieve adequacy – leaving aside the national security issue. However, note that both Israel and New Zealand both achieved ‘adequacy’ even though their laws deviate significantly from the GDPR and predate it.
Where does this leave the UK?
Clearly there are legal and political developments in this area that UK businesses have little or no opportunity to influence. We do not know if EU data protection agencies and the European courts will take a hard line over EU to UK data transfers, as they have done in the case of EU to US ones. It is certainly a possibility that the GDPR’s largely unpoliced – and perhaps unpoliceable – international transfer rules will rise up EU data protection agencies’ agendas.
The best way to negotiate this highly challenging environment is to concentrate on the governance basics. If you are a UK business dependent on the exchange of personal information with your EU counterparts:
- map out your key dependencies – ie, your biggest EU trading partners and the ones you exchange the most personal information with
- check that there are up-to-date contracts in place between the two parties which contain all the GDPR-mandated elements
- for high-risk data exchanges carry our periodic site inspections and do everything necessary to ensure effective governance is in place – this is the best way to minimise the risk of disruption to data transfer
- monitor the situation – make sure your data protection team is aware of this issue and watch what EU regulators are saying and doing.