Almost all commercial organisations transfer personal data across borders in some form or other. In financial services, those transfers are absolutely vital and often involve sensitive and confidential information. Over the next six months, it is possible that the laws to do with the transfer of personal data from the EU to the UK will change.
The issues that face Guernsey organisations that transfer personal data to the UK and the EU also face organisations in any of the jurisdictions (Andorra, Argentina, Canada (for commercial organisations), the Faroe Islands, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay) that the European Commission has judged to be 'adequate' for data-protection purposes.
Where did we come from?
Prior to Brexit and the departure of the UK from the EU, data transfers between Guernsey, the UK and the EU were a relatively easy affair. The UK sat within the EU. The General Data Protection Regulation was directly effective in the UK, meaning that British organisations could transfer data around the EU freely. Guernsey has an 'adequacy decision' from the European Commission, meaning that our legislation is deemed essentially equivalent to that of the GDPR. So no extra measures or safeguards had to be put in place prior to transferring personal data from Guernsey to either the UK or elsewhere in the EU.
This is in contrast to transfers from Guernsey to countries or jurisdictions that are outside the EU and do not have data protection legislation deemed to be 'adequate' (i.e. equivalent to the GDPR), such as the USA. In order for a transfer of personal data to such places to be lawful, the transferring Guernsey organisation ought to make sure that certain safeguards are put in place. Such safeguards include the use of binding corporate rules or standard contractual clauses.
Where are we now?
The UK has now left the EU and the GDPR is no longer part of the UK's law. Although the UK has already said that personal data can flow from it to the EU without additional mechanisms being put in place, the EU has made no reciprocal statement in respect of data flows to the UK.
Despite the UK's requests, the European Commission has not made an decision about 'adequacy' in relation to the UK. However, by virtue of the new trade deal agreed between the UK and the EU, the EU has agreed to delay data transfer restrictions for at least another four months, which can be extended by a further two months - this is known as 'the bridge.' Until the end of June, then, data transfers between Guernsey, the EU and the UK can continue as normal.
On 19 February the European Commission began a process that might lead it to decide that the UK is 'adequate' in relation to the GDPR. This might be a promising sign, but we are not on safe ground for data transfers yet. An opinion from the European Data Protection Board is required, as is a green light from a committee composed of representatives of member states, before final adoption by the commissino.
As part of the preparations for Brexit, Guernsey passed legislation some time ago to allow the continued free flow of personal data from the island to the UK until the end of 2021. This free flow of data happens regardless of whether or not any agreement is reached between the UK and the EU after the bridge ends.
All jurisdictions with 'adequacy' decisions under their belts are subject to regular and continuing review by the commission. Indeed, the commission has begun the process of reassessing Guernsey's 'adequacy.' Neighbouring Jersey’s adequacy is going to be reassessed as well, so these are pressing issues for that jurisdiction too.
Where are we going? A fork in the road
What happens next is crucial to organisations that transfer personal data to the UK or EU. It is hoped that there will be no bumps in the road, but there are some indications that the free flow of data between the EU and the UK might not continue. There are concerns that the European Commission will look in detail at the UK's crime and national security legislation as part of its assessment, particularly the Investigatory Powers Act 2016, which has been a controversial piece of legislation that human rights organisations have criticised.
Firms that manage data transfers need to have road maps for at least the following three scenarios.
Route A: The EU makes an adequacy decision (or similar) in respect of the UK
From a data-transfer perspective, the ideal outcome for Guernsey organisations is for the European Commission to provide an adequacy decision in respect of the UK in the same way that it has done in respect of Guernsey and twelve other jurisdictions. This would allow the continued free flow of personal data between Guernsey, the UK and the EU in the same way as it does now. Guernsey would then be likely to enact its own legislation to declare the UK as an "authorised jurisdiction" to ensure that the free flow of data continues past the end of 2021.
Route B: No adequacy (or similar) decision for the UK
If the commission does not label the UK as adequate, or the equivalent under the terms of any agreed deal, this will present difficulties to anyone in Guernsey who transfers personal data to the UK.
Although Guernsey legislation would permit the ongoing transfer to the UK up until the end of 2021, it does beg the question of what will happen after the end of this year. Guernsey's government would have to decide whether or not to follow the position taken by the EU. If it decided to do so, this would result in the additional safeguards having to be put in place in cases where people are transferring data to the UK. An unwelcome level of bureaucracy and red tape would be added to the movement of personal data between Guernsey and the UK. Guernsey's newly elected chief minister and key ministers have made public announcements of their intention to cut red tape in Guernsey and reduce bureaucracy, so they will be unlikely to want to sign up to further data-transfer restrictions, unless it is essential for the prosperity of the Bailiwick.
Alternatively, Guernsey may prefer to tie itself to the UK. Trade with the UK and access to London is generally accepted as an essential part of the life blood of Guernsey's finance industry and Guernsey more generally. Constitutionally, Guernsey is tied to the UK and, although it has a great deal of autonomy, it is Westminster that legislates for it on matters of international relations and defence. So it is not unrealistic to think that Guernsey will take steps to ensure that the free flow of personal data between the Bailiwick and the UK continues. If it does so, it may lose its 'adequacy' decision from the European Commission and consequently anyone from the EU who wanted to transfer data to Guernsey would have to insert safeguards before doing so.
The conclusion that the European Commission reaches after its review of Guernsey's 'adequacy decision' is very likely to be affected by the approach that Guernsey takes to the transfer of data to the UK. If Guernsey is willing to transfer data to the UK in circumstances where the EU deems the UK not to have adequate legislation, then the likelihood of Guernsey's adequacy decision remaining in place is, we suggest, substantially reduced.
Route C: Another option or a continued period of uncertainty
It is of course possible that the protracted conversations about the relationship between the EU and UK will continue beyond the end of June 2021 and the 'bridge' will be extended. This further period of delay will mean the current uncertainty continues but so would the ability to move data freely between Guernsey, the UK and the EU.
So what does this mean for Guernsey organisations?
Organisations in Guernsey ought to keep an eye on the direction in which Anglo-European negotiations are heading. It is to be hoped that they need put no additional safeguards in place, but anyone who transfers data to the UK or EU should examine those data transfer routes and be ready to put safeguards in place at relatively short notice. Steps to take are as follows.
- Find out where cross-border data transfers happen.
- Decide which safeguard best suits this-or-that data transfer. The safeguard of "standard contractual clauses" (a phrase found in the GDPR and other GDPR-like laws) will frequently be the most suitable. These need to be included, without alteration, into the contract between the transferor and recipient organisations. The mechanism of "binding corporate rules" (another GDPR phrase) may also be an option for organisations.
- Talk to the recipient of the data to agree terms of the safeguards that would take effect should the UK not be declared to be 'adequate' (or similar) at the end of the bridge.
- Prepare potential amendments to privacy notices and data protection impact assessments (DPIAs).
- Monitor the progress of negotiations between the UK and EU to ensure that the planned appropriate safeguards remain suitable.
- Be ready to appoint a UK/EU representative if the organisation is offering goods or services to, or monitoring the behaviour of individuals in, the UK/EU.
* Victoria Pratt can be reached on +44 (0)1481 748 938 or at firstname.lastname@example.org