No Deal Brexit – Data Transfer Concerns?
If your company holds or collects data in the US, the UK and elsewhere in the EU, you should be mapping out how data flows through those jurisdictions in anticipation of the UK “crashing out” of the European Union. We cannot be sure that the EU will make data transfer easy for companies in this circumstance.
The Current Position
Under EU data laws, no one can send, grant access to, or otherwise transfer personal data to a country outside the European Union/European Economic Area (EU/EEA) unless the EU has made a formal decision that its data protection measures are “adequate.” Adequacy for these purposes means treating data in a manner similar to the EU.
So far the only EU recognised jurisdictions are Andorra, Argentina, Canada, Faroe islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the privacy shield of the USA.
So it follows that the only countries that enjoy free data flow are those above. Other countries need to implement other protections such as specific contract terms or seek exemptions. Failing to do this could result in hefty fines being issued by the EU against defaulting companies!
No Deal Brexit?
If the ‘adequacy’ test isn’t dealt with in a Brexit deal, the UK would change overnight following Brexit to being an outside jurisdiction of the EU with no evaluation of adequacy. The fact that UK laws, policies and enforcements are clearly adequate is unlikely to make any difference as the EU has little incentive to make business easier for the UK after a complete rejection of the EU and subsequent refusal to accept negotiated terms for departure.
Even if the EU decided to help UK businesses, once the UK has become a third country it would be necessary for the EU Commission to follow a complex and lengthy process before an adequacy decision could be made in the UK’s favour. This means there would inevitably be a delay of a couple of years before any such decision could be made and formally applied. This leaves many companies in a quandary.
The Precise Problem?
The difficulty arises when an EU/EEA-based processor sends personal data to the UK. There seems to be no way to assure EU data law compliance where data processed in the EU flows back to its source in the UK to a data controller there. This is because there is currently no EU-approved set of “standard” or “model” causes for use by an EU/EEA-based data processor when sending data to a data controller in a third country. Occasional transfers can be excepted under EU regs but not usual business.
What Should UK Businesses Do?
Without a doubt, all UK businesses should map their data flows and to check that any data required for operations will not be caught in the EU/EEA following a no-deal Brexit.
For data transfers to and from the USA, the two companies simply apply the EC approved standard contract terms. These terms are non-negotiable by the way and only apply to transfers from controller to controller or controller to processor (not processor to processor or processor to controller).
So – anything outside of the above may well be considered to violate EU data laws and UK businesses will clearly need to weigh up a risk-based choice. As it will not be possible to be 100% legally compliant as things stand.
We at EveryDay Legal will keep our eyes open and update when we can.