Brexit and the Privacy Shield

The following notes from Data Protection People expand upon the official UK Government guidance in Guidance – Data protection if there’s no Brexit deal – Published 13 September 2018.

Brexit background

The GDPR allows free movement of personal data throughout the European Economic Area (EEA). The EEA is made up of the 28 members of the EU (soon to be 27 when UK leaves), plus Norway, Iceland and Lichtenstein. All other countries are called “third countries”.

Thirteen third countries have negotiated “adequacy agreements” with the EU. The most recent being Japan. ‘Adequacy’ means that their Data Protection laws are recognised to be equivalent to European standards. Adequacy arrangements take several years to negotiate and implement with the European Commission.

You need to think beyond a deliberate and purposeful transfer of data to the EEA. It is also relevant that if you used a cloud-based software solution where the servers are based in the EEA, this also constitutes an international transfer. For example many well-known software companies have based their servers in the Republic of Ireland.

The UK leaves the EU at midnight Central European Time (11pm UK time) on 29th March 2019. At this time the UK becomes a third country outside the EEA.

Brexit WITH a deal (“Withdrawal Agreement”)

There will be a “transition period” lasting until 31st December 2020. During the transition period the data protection legal obligations for UK organisations are unchanged because continuity of Data Protection has been negotiated as part of the “withdrawal agreement”.

During the transition period from 29 March 2019 to 31 December 2020 the UK and the EU must conclude a final agreement on their future relationship. That may include an adequacy agreement, it may not. An assessment of adequacy can only commence after the UK has left the EU. These assessments and negotiations usually take years. The fastest adequacy assessment so far, for Argentina, took 18 months. But other assessments have taken up to five years.

The UK Government’s aspiration is for an agreement above and beyond “adequacy”. This has been negotiated for many months and reiterated in the July 2018 Brexit white paper, but the UK’s proposals have never been well received by the EU. In a May 2018 speech, the EU’s Chief Negotiator for Brexit, Michel Barnier, responded to the UK’s proposal for something beyond adequacy, saying that “the only possibility for the EU to protect personal data is through an adequacy decision”. To accept the UK’s proposal, he said, would be to “abandon our decision-making autonomy” – something that the EU ”cannot, and will not” do.

If there is no adequacy decision agreed by December 2020 UK organisations will need a new legal transfer arrangement for international transfers such as standard contractual clauses or (for internal transfers inside multi-national organisations) binding corporate rules.

Brexit without a deal (“No deal”)

This will be a big and immediate problem for any UK organisation with international transfers if the UK exits WITHOUT a deal on 29th March.

Any transfers FROM the EEA TO the UK will be illegal.

The British government has helpfully made clear that in a “no deal” situation it will still be lawful to transfer Personal Data FROM the UK TO the EU. But this has not been reciprocated by the EU – far from it.

In the case of a no deal Brexit it seem probable (for political rather than practical reasons) that it would take even longer to achieve an adequacy agreement than it would if there was an orderly exit with a withdrawal agreement. It could take years before the EU recognises the UK’s data protection laws through an adequacy ruling – if at all. Legal experts and even the U.K.’s own Information Commissioner have doubted whether the U.K. would be able to achieve an adequacy decision. On Oct. 23, Margot James, the U.K.’s digital minister, admitted to a House of Commons select committee that she could not categorically guarantee an adequacy agreement with the EU. Shadow Digital Minister Liam Byrne was alarmed, tweeting, “Holy cow. Ministers have just told they can’t guarantee the adequacy agreement that allows data sharing across the EU in event of no deal Brexit! That could jeopardise 70% of U.K. services exports!”

So to stay legal in the event of a no deal Brexit UK organisations making international transfers must use measures such as standard contractual clauses or binding corporate rules with immediate effect from 29th March. If they do not, transfers FROM the EEA to the UK in the case of a no deal Brexit will be illegal.

Standard Contractual Clauses

Standard Contractual Clauses have been designed by the European Commission and have long existed and used to legitimise international transfers. They were updated to remain compatible with the GDPR. They must be used in their entirety with no changes, although they can be and usually are incorporated into a bespoke contract between two contracting parties.

They are bi-lateral contracts that must be entered into by the data exporter (based in the EEA) and the data importer (outside the EEA). Different versions exist for Controller to Controller vs Controller to Processor. They cannot be used for Processor to Processor.

They are relatively easy for a specialist data protection lawyer to implement and represent an out-of-the-box solution.

Privacy Shield and transfers to the USA

Privacy Shield came into existence on 12 July 2016 when the European Commission adopted an Adequacy Agreement in respect of the EU-US Privacy Shield Framework, a voluntary mechanism to replace the defunct Safe Harbor framework. As a result data exports from the EEA are permitted to US-based organisations which hold a Privacy Shield certification. It is essentially a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It appeared for a while that when the UK leaves the EU on 29th March 2019 it would no longer be party to the Privacy Shield framework

Why is this important? Do we transfer personal data to the USA?

Many popular software solutions including Mail Chimp, Survey Monkey and DropBox are American products hosted on servers in the USA. Therefore by definition this involves a transfer of personal data to the United States. The same may apply to many other popular cloud-based hosting solutions.

However, the US government pre-empted this problem to safeguard its lucrative market for software products in the UK. It could not afford for the use of such American products to become unlawful on 29th March. There are currently about 3,230 US-based organisations subscribed to Privacy Shield.

On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit.

After Brexit, US organisations participating in Privacy Shield must implement the following additional measures:

Any statement setting out a public commitment to comply with the Privacy Shield must expressly confirm that the commitment extends to personal data received from the UK in reliance on Privacy Shield. Furthermore, if a participant plans to receive Human Resources (“HR”) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy; and

A current Privacy Shield certification must be maintained and recertified annually.

The deadline for participants to adopt these measures will depend on whether the UK Government is able to finalise a withdrawal agreement with the EU. A participant that does not implement these measures will not be able to rely on the Privacy Shield to receive personal data from the UK after 29 March 2019 if there is no deal (i.e. no transition period) or 31 December 2020 at the end of the transition period in the event that the UK Government finalises a deal with the EU (each an “Applicable Date”). During the transition period the European Commission’s adequacy decision on the level of protection afforded to personal data by Privacy Shield would continue to apply (meaning it is treated as essentially equivalent to the level of data protection offered by EU law).

After the Applicable Date, a participant that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK will be required to cooperate and comply with the Information Commissioners Office (the UK’s data protection regulator).

So in summary, if you are transferring data to the USA or using any USA-based hosted software solutions you must check that the vendor abides by these requirements. As long as they do it will be lawful to continue using them.

Jason Ellis