grandeduc - Fotolia

Post-Privacy Shield, what chance for a Brexit data adequacy deal?

The striking down of Privacy Shield has been hailed as a victory for digital rights and privacy campaign groups, but it will have consequences that go beyond transatlantic data transfers

This article can also be found in the Premium Editorial Download: Computer Weekly: The UK’s $500m space technology gamble

The 16 July 2020 ruling from the European Court of Justice (ECJ) that Privacy Shield – the legal mechanism that enables hundreds of thousands of US-based organisations to transfer data into and out of Europe – is invalid, has huge repercussions for the technology industry and for wider transatlantic trade.

However, with the UK now heading out of the European Union (EU), the decision also sets a precedent for Brexit, with major ramifications for UK-based organisations that currently transfer data across the Channel after the transition period ends.

Mark Kahn, general counsel and vice-president of policy at Segment, a supplier of data platform services, said: “When the ECJ ruled on Privacy Shield last week, it invalidated an umbrella arrangement between two hugely important trading partners.

“The ruling offered little clarity over the future of EU-US data transfers, and while its impact is yet to be fully understood, we can certainly expect data protection authorities to assess contractual agreements on a case-by-case basis from here on in.”

Kahn said that with its ruling, the court has made a strong statement in favour of individual data protection rights, and indirectly set an “interesting challenge” for the UK’s future data relationship with the EU.

“Any assessment of the UK’s data adequacy is now sure to be under increased scrutiny, making the free transfer of data between the EEA [European Economic Area] and UK far from certain after the Brexit transition period,” he said.

Bridget Treacy, data privacy partner at Hunton Andrews Kurth LLP, a London-based law firm, said: “There has obviously been very extensive scrutiny of the US agencies’ and intelligence services’ powers to commandeer information, and gain access to it, just as with every other country that has made it onto the European adequate list.

“The UK is also going to be subject to that scrutiny. So once we’re outside the EU and applying for adequacy recognition from the European Commission, we can expect that our legislation will also be subject to scrutiny just as the US has been and, indeed, as other countries on the adequate list will have been as well.

“That’s where there’s uncertainty, and you know there will be close scrutiny and there will probably be some issues raised. I don’t think it’s a straightforward path at all for the UK to pass that test and to be designated as adequate.”

Surveillance laws

As Computer Weekly reported last week, Kahn and Treacy are not alone in this assessment. Daniel Tozer, head of data and technology at law firm Harbottle & Lewis, also said the judgment raised questions over the ability of organisations to easily move data between the EU and the UK, especially given the state of the UK’s surveillance laws and its membership of Five Eyes, the anglophone intelligence-sharing alliance that also includes Australia, Canada, New Zealand and the US.

Open Rights Group executive director Jim Killock, meanwhile, said it was inevitable the UK’s surveillance regime will now be questioned following the judgment, because Europe had made it clear that it has rejected Privacy Shield precisely over surveillance concerns.

Treacy said that prior to the UK leaving the EU, national security and surveillance was not an area that fell within the competence of the EU, but that would clearly change after the Brexit transition period ends.

“Once we leave the EU, then those laws are subject to scrutiny and assessment, as we’ve seen with the US in the context of Privacy Shield,” she said. “That is something that has already been flagged as a potential hurdle for the UK in the context of an adequacy assessment.

“It’s interesting, too, with some of the comments that have been made on the judgment, thinking about those and the broader context because, of course, the US and the UK are members of the Five Eyes framework and two other countries that have been assessed as adequate are New Zealand and Canada. It will be interesting to see whether in fact this is then reopened and whether any of those countries are subject to additional scrutiny.”

It might also be considered something of an irony that the EU has no say over the surveillance laws that its members enact, so there may be countries in the EU that have far more stringent surveillance laws than the UK, opening up the possibility that, technically, EU citizen data could be safer held in the UK than in a member state that had, for example, enacted unfair surveillance legislation, or compromised the independence of its judiciary.

Beyond GDPR

Treacy noted that the UK clearly aimed to be assessed as an adequate jurisdiction from a data protection standpoint, and this could be seen in some of the strategic decisions taken in relation to the 2018 Data Protection Act, which goes beyond what is required by the General Data Protection Regulation (GDPR) alone.

“We’ve sought to have very consistent and actually, in some respects, more extensive data protection law here than in the EU and obviously that’s done with a view to helping that adequacy assessment,” she said.

“An important point to note is that this judgment is going to be part of UK law, so we will continue to need to take note of it, and we will need to comply with what it requires even after we have left the EU, because it will be part of our law.”

Treacy argued that given these factors, plus others such as the independence of the UK’s legal system and its data protection regulators, and the fact that individuals have rights and access to legal redress, the UK ticks a lot of boxes.

“The big unknown is how our surveillance laws would be assessed,” she said. “At the end of the day – and you see this too with the Privacy Shield negotiations – it’s not just a purely objective assessment – there will be other factors that will be discussed and taken into account as well, and it’s not always clear exactly what they are.”

What to do next

As we wait for an outcome either way, it is sensible for organisations to prepare for the eventual decision on data adequacy to go against the UK, and Segment’s Kahn said it is worth considering this today.

“Recent ICO statements confirm that UK businesses can continue to rely on Privacy Shield for now – a clear indication that the UK wishes to set itself apart from the EU in its approach,” he said. “On the plus side, that means British businesses can probably expect a more straightforward path to transatlantic data transfers after the transition period. With the EU, however, things just became a lot more complicated.

“No matter the outcome for the UK, the ECJ ruling makes clear that businesses need to know exactly what data they have, where it came from, and how it’s flowing through their systems and services. Doing the bare minimum to honour privacy rights is no longer enough at an ethical level – and in an age of regulatory uncertainty, it’s also an unwise move in terms of future compliance.”

There are several things that UK-based organisations can do right away to put themselves in the best possible position going forward, said Hannah Ife, an associate at JMW Solicitors. The first step is to review personal data flows into and out of the EEA, identify key mechanisms relied on for transferring personal data, paying particular regard to standard contractual clauses (SCCs), which may need revision should the EU release new ones.

Multinationals should think about how they use any current EEA-approved binding corporate rules for transfers in and out of the UK, and update them to reflect the UK’s new status as a third country.

Ife also advised updating documentation and privacy notices to cover UK-EEA data transfers under UK adequacy regulations, and if you also transfer data from the US, to check that whoever you transfer data to there has made the required updates to their commitment to comply with Privacy Shield.

UK-based data controllers that have no offices in the EEA but transfer data on European citizens there should also consider appointing a local European representative under Section 27 of the GDPR – and the reverse holds true for European controllers transferring data on UK citizens.

Finally, said Ife, organisations will need to review privacy notices, data protection impact assessments (DPIAs) and other documentation to include updated references to EU law, UK-EU data transfers, and so on.

Read more about the end of Privacy Shield

Read more on Privacy and data protection

Data Center
Data Management