In the event of no deal the UK will need to seek an adeuqacy agreement with the EU to allow business to transfer personal data to the EEA without extra regulatory burdens. Here we exlain the impacts of no deal on data and why the UK should prioritise an adequacy agreement with the EU.
How is personal data transferred while in the EU and what happens under no deal:
As a member of the EU the UK enjoys access to the EUs common framework for data protection. Underpinned by GDPR this allows businesses to transfer personal data within the EEA and between the 13 other countries the EU has full or partial adequacy agreements without having to provide extra reassurances, known as ‘appropriate safeguards’.
In the event the UK leaves the EU without a deal the UK will lose access to this common data protection framework at the point of exit. 23.00GMT on 31 October.
As a result, UK businesses which exchange personal data with businesses in the EEA will have to ensure these ‘appropriate safeguards’ are in place to transfer data in a manner that complies with GDPR rules, for example inserting Standard Contractual Clauses (SSCs) into contracts or applying Binding Corporate Rules (BCRs).
To prepare for no deal, business will therefore have to examine their data flows and take the extra steps needed to ensure that when transferring data, they are not penalised by data protection authorities. ICO guidance on apropriate safeguards can be found here.
Countries can be granted adequacy by the European Commission (EC) if their data protection regimes are deemed to provide sufficient protections to personal data in their jurisdictions. This requires an assessment by the European Commission.
Receiving a full adequacy decision will allow personal data to be transferred to and from the EU in a similar manner as is done now. If the EC won’t grant a full decision, partial adequacy decisions can be granted allowing certain sectors or registered companies to transfer data. For example, the EU has a partial decision with Canada and with the US through the Privacy Shield Framework.
The European Commission has set out that it will not begin its assessment of the UK until it is a third country. Under the withdrawal agreement the UK could have applied during the transition period while still maintaining access to the EU’s common data protection framework. However, in the event of no deal the UK will need to apply once it has lost access.
How is the adequacy decision made?:
The process requires the third country (in this case the UK) to request the EC to make an assessment. This is then followed by a proposal from the European Commission, an opinion of the European Data Protection Board, approval from representatives of EU countries and the adoption of the decision by the European Commission following an investigation.
At any time, the European Parliament and the Council may request the European Commission to maintain, amend or withdraw the adequacy decision if in their view the EC exceeds the implementing powers granted to it in EU law.
This creates multiple friction points where the UK’s progress to an adequacy decision could be halted by legal or political hurdles.
The UK will also not necessarily be ‘front of the queue’, as existing adequacy talks are ongoing between the EC and South Korea.
How long could the adequacy decision take?:
The shortest time an adequacy decision was completed was in 18 months (with Argentina).
While the UK has said that it will continue to apply GDPR, therefore in theory speeding up an adequacy decision because the UK and the EU apply the same data protection laws, the UK’s case is unprecedented and there may be problems which arise due to a member exiting the framework that speed up or slow down an adequacy decision.
The UK’s security services will also come under scope in this decision, where as a third country the actions of UK security services such as GCHQ would factor into any adequacy decision the EC may make. The main potential problem is the UK’s Investigatory Powers Act 2016, which allows for broad interception, interference and communications acquisition powers. This Act may contravene the human rights element which the GDPR is based upon risking the ability of a fast adequacy decision.
Further to this any proposed changes to UK data protection rules may slow down the progress of an adequacy decision. For example, some have argued that leaving the EU offers an opportunity to diverge from GDPR. While other countries with full or partial adequacy decisions do not apply GDPR, changes to the UK’s data protection laws in the period where it is being assessed could result in the EC having to reset or review parts of its assessment, increasing the time it takes to grant adequacy.
Similarly, were the UK to put changes to data protection rules on the table in any trade negotiations, proposed changes to rules during the negotiation or the simple fact that these are in scope could slow down the decision-making process.
What should the UK Government do?:
Transfers of data are hugely important to the UK economy with data driven services increasing productivity and innovation. The McKinsey Global Institute estimates that cross border data flows accounted for 3.8% of global GDP. In an advanced services driven economy such as the UK, cross border data flows are likely to make up a much bigger proportion of GDP than that.
43% of total UK exports are services-related with more than one- third of these trade flows with European partners and the majority of trade in services are underpinned by cross-border data flows. Therefore, interruptions to data flows and extra requirements on business to allow them to continue to transfer personal data will have a large impact on the UK economy.
In techUKs discussions with members extra safeguarding measures such as SSC’s and BCRs are seen as a useful relief in the event of no deal. However large companies are significantly more likely to have applied these due to their size and resources with smaller companies less likely to have done so.
In techUK’s last survey of members in December 2018 65% of small and 46% of medium sized business had not taken any active steps to prepare for a no deal exit on 29 March 2019. With 30% of small businesses having not taken any active steps to prepare because they lacked the resources to do so. This compared to just 8% of large businesses who had not taken any steps.
Even for larger business who have prepared by seeking to implement ‘appropriate safeguards’ there are concerns over the long-term sustainability of these safeguards due to a history of EU alternative privacy arrangements being struck down in court, for example the EU/US Safe Harbour Agreement. Currently SSCs are under in scope in the Schrems II ECJ case, due to be resolved early next year. This case has the potential to invalidate SCCs as a method to transfer data to/from the EEA outside an adequacy decision.
In the event of no deal techUK strongly encourages the UK Government immediately request an adequacy assessment and to prioritise receiving a full, positive adequacy decision from the EC at the earliest opportunity.
This should be prioritised above attempts to enact significant reforms of UK data protection rules and changes to these rules resulting from trade negotiations.
techUK has significant concerns that a failure to achieve a timely adequacy decision will mean that UK business face a significant competitive disadvantage when compared with firms in the EEA or the 13 countries with full or partial adequacy decisions. An adequacy decision from the EU is the only way to guarantee that data can continue to be transferred without major interruption and to provide business with certainty on how to sell services and products to our closest partners without an increased risk of failing to meet data protection standards.
In the event of a protracted decision-making process UK companies will have to provide extra certainty over their data protection arrangements to reassure potential customers that rules are not being broken. The legal uncertainties resulting from overnight changes in the rules after no deal, the potentially spotty application of SCCs and BCRs and the possible invalidation of some ‘appropriate safeguard’ mechanisms in court means UK companies and their business partners could face a moving feast of regulatory requirements increasing the risk of being fined by data protection authorities.
For any businesses which have concerns regarding transfering personal data to and from the EU in the event of no deal, please see the ICO's guidance for business here.