The enormous – and enormously valuable – flow of personal data from the European Economic Area to the world’s largest economy, the USA, is again at existential risk. This alone is not good. But combined with uncertainty on Brexit and the ability of UK businesses to receive personal data from the EEA after 29 March 2019, there is a clear and present danger to service and business continuity in the UK. Why?
The US government’s ability and appetite to access personal data held by US businesses is threatening ‘Privacy Shield’, the EU-approved mechanism for transferring personal data to companies in the USA. Worse, the same argument might make other methods such as standard contractual clauses (‘SCC’s) – the most popular and practical alternative – invalid.
On Brexit, there’s no clarity on the mechanism for continued transfers of personal data from the EEA to the UK, or that the mechanism will be in place in time. This uncertainty means UK businesses will have little choice but to have SCCs ready to sign with each and every business in the EEA which shares personal data with them, should the need arise.
Fast forward and, in a worst-case scenario, the same arguments against the US on Privacy Shield might be levied against the UK, putting an adequacy decision – or any other method of transfer from the EEA to the UK – in jeopardy.
Lastly – completing the complex triangle – what happens to personal data transfers from the UK to the US after Brexit if Privacy Shield fails? Assuming the UK wants to maintain adequacy with Europe, it can’t approve a method unacceptable to Europe or it will risk any adequacy decision. Another reason we hope Privacy Shield remains in place, amended as needed.
The EU’s concern is that the level of protection given to individuals in Europe by the GDPR is not undermined as a result of a ‘transfer’ or their personal data outside the EEA. So, before any transfer takes place, the European business must identify a method to safeguard the data after the transfer, from a limited list set out in a strict order of preference by EU law. These essentially put an ‘EU wrapper’ around the data, ensuring that EU-level rights and protections travel with that data.
The first, and preferred, method is an ‘adequacy decision’. Literally, the European Commission decides that the protection given to personal data and related rights in a non-EU country is adequate. If they do, the UK business is free to transfer personal data to any person or business in that third country (or under that mechanism) without, for example, having to ask for consent or using a special contract for the transfer itself. Only a dozen adequacy decisions have been made to date, including for Argentina, New Zealand and Switzerland – and Japan is due later in 2018.
The US is a special case. While many States have extensive data protection laws, there is no generally-applicable federal privacy law. The EU has never made an adequacy decision for the USA as a country. Instead, the US and EU regulators agreed a legal structure called ‘Privacy Shield’ in 2016 (which replaced a similar structure called ‘Safe Harbor’ which was in place from 2000 to 2015). Individual US companies can voluntarily sign up to Privacy Shield, and agree to abide by its principles and certain oversight by EU regulators.
The problem is that Privacy Shield may go the same way as Safe Harbor, and be declared invalid by the European courts, mainly due to the broad ability – and appetite – of the US government to access personal data held by US businesses and what EU regulators see as the ineffectiveness of Privacy Shield – the recent Facebook and Cambridge Analytica scandal being an example. Indeed, the EU Parliament passed a (non-binding) resolution to suspend Privacy Shield on 1 September 2018 if improvements are not made.
You may have heard about the ‘Microsoft Ireland’ case. In 2013, the US government served Microsoft with a warrant to hand over certain data. As that data was held on Microsoft servers in Ireland, Microsoft refused on jurisdictional grounds. The case worked its way through the US courts to the Supreme Court. Then, in 2018, the US government introduced a new law, the Clarifying Lawful Overseas Use of Data Act (or ‘CLOUD Act’), which allows for a warrant to be issued for data held overseas. With a new warrant issued under the CLOUD Act, the original case was dismissed without a Supreme Court decision. But the issue, and the CLOUD Act, remains and is troubling the European authorities.
If the current direction is maintained, the EU may decide that no safeguard is possible for transfers of personal data to the USA. Neither SCCs (the EU-approved standard contractual clauses) nor BCRs (EU-approved group-wide privacy commitments) do anything extra to prevent excessive government access. Losing US-applicability for BCRs will be a pain for those who have implemented them, but losing US-applicability for SCCs will be a disaster for any business across the EU who relies on them, or would look to rely on them if Privacy Shield falls.
When the UK leaves the EU in less than a year, we’ll become a third country under the GDPR and other EU data protection laws, just like the USA. Transfers of personal data from businesses in the EEA to the UK (even between group companies) will be treated just like transfers to the USA – only there isn’t even a disputed adequacy decision to rely on.
If the UK can’t convince the European Commission to fast-track an adequacy decision for the UK in time, then UK businesses will need to have SCCs ready to sign on 29 March 2019 with each and every EEA party from whom they want to continue to receive personal data.
If those EEA parties decide it’s easier to keep the data in the EEA and implement contingency plans, well, it’s possible not all of those plans will be rolled back if and when the UK gets its adequacy decision.
To make matters worse, some might say the UK government’s rights to access personal data aren’t far short of the US government’s – which was noted in the July report from ‘The Exiting the European Union Committee’. That might put an adequacy finding – and any other safeguard method such as SCCs and BCRs – at serious risk.
Business likes certainty in order to make plans and investments. One can only hope that politicians find the focus to keep EEA-USA transfers alive – and transfers from the UK to the EEA after Brexit in just 8 months’ time.
In a very welcome speech on 12 September 2018 to the CBI Cyber Security: Business Insight Conference, James Dipple-Johnstone (ICO Deputy Commissioner, Operations) summarised the UK ICO’s approach to security under GDPR and…