• wblogo
  • wblogo
  • wblogo

After Brexit - how to solve the border problem in a world of data

Elaine Gray and Alexandra Gill, Carey Olsen, Partner and associate, Guernsey, 4 September 2019

articleimage

One would be forgiven for thinking, in today's increasingly interconnected digital world, that data transcends borders. This is probably not going to be entirely the case if Britain crashes out of the European Union without a deal on 31 October.

It is 7am on 1 November 2019. A notification flashes on your mobile: 'Brexit delivered'. Despite years of political posturing, neither the United Kingdom nor the European Union could agree on a plausible deal.  You need coffee.

[Sometime later...] You are now halfway through your third coffee and the consequences of a 'No-Deal' Brexit are giving you a mild headache. The data protection officer in your London office has confirmed that the UK is now deemed by the EU to be a 'third country' [an EU term for "not in the European Economic Area"] and they have asked you to confirm whether data flows from the Guernsey and Jersey offices to the UK will continue to be lawful.

You need another coffee (and an aspirin).

One would be forgiven for thinking, in today's increasingly interconnected digital world, that data transcends borders. In practical terms, for example, an email can be sent from an office in Glasgow and, seconds later, fall into an inbox in Manila. People often forget the laws that let data flow freely across borders. Over recent years we have seen a proliferation of legal challenges to those laws, including court action concerning the validity of data transfers to the US from Europe (under the now defunct 'Safe harbour' mechanism and its slightly more muscular relative, the 'Privacy Shield').
 
And now there is Brexit. At the moment, nobody knows whether the UK will leave with or without a deal. If no deal is done, what happens from a data protection perspective? In particular, where does such an outcome leave an organisation based in the Channel Islands, whose main business operations require the sizeable, uninterrupted and unencumbered flow of data to the UK?

To attempt to understand the issues, one must rewind the clock to 1980 (four years before Steve Jobs unveiled the first Macintosh computer and nine years before the Internet's "Big Bank").

It was in this year that the Organisation for Economic Co-operation and Development (OECD) developed its 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.' These guidelines introduced a set of model principles to be followed by data controllers. They took account of the importance of the free flow of information between countries that belonged to the OECD and were not designed to set up "unjustified obstacles to the development of economic relations among member countries." Although they discouraged member states from restricting flows between themselves, they were in favour of OECD countries restricting the transfer of information to other countries.

This formed one of the founding tenets of the European Union's data protection law and is still relevant today, as seen in the General Data Protection Regulation (GDPR). Where there are borders, there are restrictions.

A general principle for transfers

Both the GDPR and the Channel Islands' data protection laws prevent controllers and processors (data exporters, in EU parlance) from transferring personal data to any territory, jurisdiction or 'international organisation' outside the European Economic Area or EEA (a data recipient) unless:
(a) the European Commission makes an 'adequacy decision' and says that the recipient protects personal data properly; or
(b) in the absence of an adequacy decision, the data exporter sets up safeguards that enforce the rights of data subjects rights and make effective legal remedies available to them; or
(c) in the absence of either (a) or (b), the data exporter is able to rely on one of the derogations to legitimise the transfer.

Derogations
 
These restrictions have the effect of creating a barrier between certain jurisdictions, depending on the adequacy of their data protection regimes. The effect of these restrictions is the following.

  • Transfers of personal data to a country in the EEA (comprising each of the European Member States plus Iceland, Liechtenstein and Norway) are unrestricted.
  • Similarly, any data transfers to a jurisdiction that the EU has dubbed 'adequate' are permissible (such as the Bailiwick of Guernsey and the Island of Jersey and those US companies that have signed up to the Privacy Shield by promising in writing that they comply fully).
  • Transfers of personal data to a recipient who is not 'adequate' will not be permitted unless the recipient can show various people that a suitable safeguard or derogation applies.

Where does this leave the UK after Brexit?

If the UK were to leave the EU on the terms of the deal that Theresa May's government wanted to strike with it, Brexit would not have any immediate effect on data flows to the UK. This is because the GDPR would continue to apply until 31 December 2020 (a period which an agreement between the UK and EU might extend for a further 2 years) and during that time the UK could ask the EU to pronounce it 'adequate.' In essence, therefore, the status quo might be preserved forever.
 
If the UK leaves the EU on 1 November without a deal and without the EU proclaiming its 'adequacy,' transfers of personal data from the EU and the Channel Islands into the UK would not be permitted unless the recipient in question could show various people that a suitable safeguard or derogation applied.

What counts as an 'appropriate safeguard' or 'derogation'?

In essence, an 'appropriate safeguard' can allow firms in different countries to share data regularly and systematically over the longer term. Intragroup transfers are a good example of this. If one company has outsourced its payroll functions to another company in the same group, it could set up a safeguard and this would be an appropriate way of protecting the regular sharing of personal data. By contrast, a derogation might be appropriate for an irregular or one-off transfer which is necessary but not routine.

Safeguards

The GDPR and both Channel Islands' data protection laws make provision for a number of 'safeguards.' These include the use of:

  • approved codes of conduct and mechanisms for certifying things;
  • Binding Corporate Rules (BCRs); and
  • Standard Contractual Clauses (SCCs – sometimes referred to as model clauses). These appeared in the old Data Protection Directive and later in the GDPR. People have continued to use them under the new regime, but no official body has vetted their use since the GDPR came in.

 
One might expect approved codes of conduct and mechanisms for certifying things to provide organisations with plenty of options, but neither are available at the time of writing.

Channel-Island businesses deploy BCRs and SCCs frequently. BCRs first appeared as a form of safeguard in the old Data Protection Directive many years ago. People often think of them as the most robust mechanism for the transfer of data within a group of companies. In simple terms, they are a comprehensive set of data protection policies, based on EU privacy standards, that (typically) each undertaking in the same group adopts voluntarily. To this end, they compensate for a lack of data protection in a non-EEA country which the European Commission has not labelled as 'adequate.' BCRs are also a practical and flexible solution to many of the jurisdictional complexities that arise when firms transfer personal data across borders.

There is, however, a caveat. The GDPR dictates that every BCR must be approved by a competent lead data protection authority. Because of this, BCRs are not a 'quick fix.' If a group does not already have BCRs in place (or has not taken steps to ensure that BCRs are in place by 31 October this year) this option will probably not be available in time.

The most popular transfer mechanism we see is the use of SCCs. These are pre-approved clauses of various kinds that the European Commission has authorised for use as a contractual means of ensuring that both the Data Exporter and Recipient can safeguard personal data in accordance with EU standards. There are at present three sets of SCC – two that govern the transfer of data between controllers and one that governs the transfers that take place between a controller and its processor. There are no SCCs that govern transfers from a processor to a sub-processor.

SCCs are useful because firms can set them up without having to wait for the prior approval of a data protection authority and can simply append them to existing data-sharing and data-processing agreements. Unfortunately, they cannot be amended without the approval of a data protection authority.
 
A British application for an 'adequacy decision'?

The UK's decision to leave the EU has come at an interesting, if somewhat turbulent, time. It can, and almost certainly will, apply for an 'adequacy decision' but nobody knows how long the EU will take to make it. 'Adequacy decisions' take time to process and it is possible that the UK will have to form an orderly queue behind other jurisdictions that are waiting now.
 
The UK has already passed its own GPDR-like law, but this might still not be enough to guarantee an 'adequacy decision' when the time finally comes. This is because HM Government conducts some of the widest-ranging surveillance powers in the Western world. The European Union is particularly sensitive to this issue because its court forced it to revoke the Safe harbour in the light of the Snowden revelations and the successful court case mounted by Maximillian Schrems.
 
Moving personal data across the English Channel

Against this turbulent backdrop, it may come as surprise that the Channel Islands are unaffected by this issue so far. Both Jersey and the Bailiwick of Guernsey are adequate in the eyes of the EU and have also passed laws to permit their companies to transfer personal data until the end of 2020 (to coincide with the exit date that Theresa May proposed).
 
However, if the European Commission makes its pronouncement on the UK's adequacy before the expiry date to be found in Jersey's and Guernsey's laws (i.e. before 31 December 2020), Guernsey's Data Protection Authority says that it will ask the States of Deliberation to revoke the law so that people will no longer be able to transfer data to the UK by taking this approach. It remains to be seen what Jersey would do in a similar situation.

Furthermore, although this legislation legitimises the transfer of personal data in accordance with Channel-Island data protection regimes, it does not extend to the GDPR.

There may, for example, be circumstances in which a Guernsey or Jersey company is subject to both the island data protection law and the GDPR itself (by virtue of the GDPR's extra-territorial provisions). In these circumstances, local companies must still pick the transfer mechanisms on which to rely under the GDPR in order to ensure that firms are transferring data to the UK lawfully.
 
In both scenarios, the company has to consider an alternative way of transferring data. The European Data Protection Board has published a guideline in this regard which can be found at: https://edpb.europa.eu/our-work-tools/our-documents/drugo/information-note-data-transfers-under-gdpr-event-no-deal-brexit_en

For all these reasons, SCCs are likely to remain the most practical way allowing data transfers. However, firms ought to exercise some caution because some changes might be on the horizon.

The future of SCCs – trouble in store?

As with many aspects of data protection, there is a history. There are also actors, a stage and costume changes.

In June 2013 Edward Snowden made a number of unauthorised disclosures, revealing that the US National Security Agency (NSA, a wing of the Central Intelligence Agency) had been conducting surveillance on individuals on a mass scale. Questions soon followed about the integrity of the Euro-American 'Safe Harbour' deal (which legitimised data flows from the EEA to the US), with some commentators alleging that the people who operated the Safe Harbour were also involved in the NSA's surveillance activities. Under pressure from privacy activists and data protection authorities, the European Commission had no option but to reopen discussions with the US Government to strike a new deal.
 
This done, it approved the Privacy Shield as the replacement for the Safe Harbour. Since its introduction, this mechanism has flirted with controversy. In particular, the Article 29 Working Party (now replaced by the European Data Protection Board) observed a while ago that, in addition to concerns that the redress mechanism for data subjects was complex and unwieldy, the agreement did not expressly exclude the mass and indiscriminate collection of personal data by US intelligence agencies from the EU.

Against this backdrop, Max Schrems, a law student and a somewhat unlikely protagonist, entered stage left. Schrems made a series of formal complaints about the operation of the Safe Harbour. He originally complained that Facebook Ireland (the data controller for Facebook's European subsidiary) could no longer rely on the Safe Harbour deal to legitimise the transfer of his data to the US as result of the NSA's activities. The Court of Justice of the European Union found in his favour and this led to the replacement of the Safe Harbour with the Privacy Shield.

Facebook Ireland then argued that, instead of relying on the Safe Harbour deal, it could in fact rely on the SCCs as an alternative mechanism to transfer data. Schrems then complained about the SCCs. The Irish High Court (acting on a complaint that went through the Irish Data Protection Commissioner) asked the European Court to pronounce on the effectiveness of the SCCs and the allegation that the US's handling of European citizens' personal data was a contravention of the data protection mechanisms that EU law guarantees as a fundamental right. The outcome of its decision is pending and could have wide-reaching implications for the validity of the SCCs and the Privacy Shield itself.

A gaze into the crystal ball

The European Court is due to publish its decision early next year (often referred to as the Schrems II judgment). Crucially, in the event that the court holds the SCCs and/or the Privacy Shield deal to be invalid, this may result in all existing transfers that have been based on the SCCs and/or Privacy Shield deal being held to be invalid. As such, any business which has tried to rely on SCCs to legitimise its transfer of data to the UK in a post-Brexit world could end up having to re-visit its transfer mechanisms again in the New Year.

There is, however, a glimmer of hope. The European Data Protection Board says that it is in the process of modifying the SCCs in the light of the GDPR and ought to have finished in the New Year. Let us hope that the two coincide to spare business a huge headache!

Perhaps some good news will emerge in the coming months, with a new set of SCCs in the offing and an end to the speculation about Brexit and about the usefulness of the Privacy Shield. Channel-Islands businesses, however, will have to look afresh at their data-protection compliance and transfer mechanisms in the coming months, perhaps more than once. They will have to think about redesigning their data maps, they will have to review their data transfer mechanisms with third parties and they will have to update their privacy notices and internal policies and, maybe, reach out for something slightly stronger than coffee...

* Elaine Gray can be reached on +44 (0)1481 732 035 or at elaine.gray@careyolsen.com; Alexandra Gill can be reached on +44 (0)1481 741 546 or at alexandra.gill@careyolsen.com

Latest Comment and Analysis

Latest News

Award Winners

Most Read

More Stories

Latest Poll