In the midst of a global pandemic it’s easy to lose sight of any other news stories. Especially when the story in question is not news, but olds.
Brexit is, like, so pre-Covid. But Brexit is still happening, and hidden beneath it is a potential elephant trap for anyone in the UK who trades digitally with Europe. The transition period, which started when the UK officially left the European Union, ends on the 31st of December 2020. After that date, if there’s no an adequacy agreement in place, there will be no free flow of personal data between the EEA and the UK. And that’s just the start of the challenges that face the UK.
Why adequacy matters
At the time of writing, progress on trade negotiations has been slow but the UK team is refusing to contemplate an extension to the transition period. As a result, there is a material risk that the transition comes to an end with no trade agreement or with a skeleton agreement covering only a few types of goods and services – a so-called cliff-edge Brexit.
From a privacy perspective this is a serious problem. One of the stated purposes of the GDPR, and of the Convention 108 agreement that is its global precursor, is to facilitate the free flow of information across borders in support of trade and commerce. What that means in practice is that while the UK is in the EU, including during this transition, there is no restriction on moving personal data around within the Union, and in fact within the slightly larger EEA. This makes it easy for organisations to buy and sell services that involve personal data within the single market, and for multinationals to base their processing wherever works best for them.
Precisely because this free flow of data is so important to trade, the GDPR (and the previous 1995 Data Protection Directive) includes something called an “adequacy mechanism”. This enables the European Commission to take the view that any given country outside the scope of the GDPR – so a country outside the EEA – has sufficient local data protection provisions that its safeguards are good enough to allow personal data to be transferred to and from the EEA without constraints. A number of countries have been given adequacy decisions – Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the United States of America.
Without adequacy you could lose your competitive edge
Without an adequacy decision, any transfer of personal data to a so-called “third country” requires additional safeguards. These can range from relatively complex contractual arrangements, known as “Standard Contractual Clauses” (SCCs) , to internal and enforceable rules applying to a group of related organisations, called “Binding Corporate Rules” (BCRs), to specific security and redress provisions for a narrow range of other use cases. In all cases the common elements are cost and complexity: transferring data across borders in the absence of an adequacy decision is more expensive and time-consuming, creating an inherent competitive disadvantage.
Getting an adequacy decision is not a straightforward exercise. The wheels of European decision-making grind fine but slowly. South Korea has been working on adequacy since 2015; the final decision may not be until 2022. Nor are adequacy decisions either permanent or all-embracing. The Canadian adequacy decision applies to commercial organisations only – transfers of personal data between Canadian non-profits and EEA entities, for example, require additional safeguards.
July might make things worse
But it’s the US situation that is most relevant to Brexit. The US has a limited adequacy framework at the moment, referred to as “Privacy Shield”. This is a relatively recent invention. Previously there was a less-restrictive arrangement called “Safe Harbor”. Following the 2013 Edward Snowden whistle-blowing an Austrian privacy campaigner, Max Schrems, brought a lawsuit to the European Court of Justice (ECJ) arguing that the PRISM scheme under which the US National Security Agency gained access to personal data transferred from the EEA to the US by Facebook meant that the US had inadequate safeguards.
In 2015 the ECJ agreed, ruling that the Safe Harbor adequacy framework was invalid. Free exchange of data between the US and the EEA is considered so important that the Privacy Shield replacement framework was established in something of a hurry, with additional guaranteed rights of redress for EEA citizens and the creation of a privacy ombudsman in the US. However this arrangement was recognised as something of a sticking plaster since the underlying issue of state surveillance has not changed, and Schrems has brought another lawsuit. The decision in that case is expected on the 16th of July 2020 and may have dramatic consequences for data flows between the US and the EEA.
What’s the problem with adequacy?
What has all of this to do with the UK? The UK government has already written into law that transferring data from the UK to the EEA will be acceptable, a unilateral adequacy decision, but there has been no reciprocal agreement from the EU. So without an adequacy agreement UK businesses and UK business units of multinational corporations face significant additional headwinds in cross-border data transfers. Yet the UK is by no means guaranteed to get an adequacy agreement as part of the Brexit negotiations, nor – even if it were prepared to join the queue along with South Korea at al and wait perhaps as long as seven years – to get one afterwards.
While countries are part of the EU, they get a specific exemption under the GDPR for processing done for the purposes of national security, crime prevention and a number of other functions of state [Article 23.1 and Recital 16]. This is, of course, because ultimately the actions of the state are answerable to both the democratic process and the European Court of Justice.
Once a country leaves the EU, however, as the UK has done, this exemption no longer applies and instead the Commission is required [Article 45.2(a) and Recital 104] to consider a third country’s respect for human rights and fundamental freedoms – and here specifically this is rooted in Articles 7 and 8 of the European Charter of Fundamental Rights (CFR), the rights to a private life and to protection of data – in the context of national and public security and all of the other areas of state operation that are exempted under Article 23.
Why the UK might not get adequacy
This presents a number of problems for the UK. The longest-standing are the powers granted to the government and the security services by the Investigatory Powers Act 2016 (IPA). The ECJ has already ruled, twice, that the IPA contravenes the CFR. There has also been criticism of the UK’s use of data taken from the Schengen Information System, an EU-wide information sharing system for security and border management. This latter, in particular, led the Netherlands government to question earlier this year whether the UK should get an adequacy decision.
Even more recently we have seen the UK government diverging from the European position on contact-tracing for Covid-19; not only did the UK not join the common European initiative and instead develop its own app that took an entirely different technological and privacy approach, the UK government also sought to centralise contact tracing information and hold it in identifiable form for 20 years.
Finally, the UK is a member of the so-called “Five Eyes” intelligence-sharing network. Of the other members of this network Australia has no adequacy decision, Canada’s is restricted to commercial organisations and so excludes functions of government and the US’s adequacy decision is under review; only New Zealand has full adequacy.
What’s the impact of losing adequacy for the UK?
Economically a loss of adequacy would be a substantial blow to the UK economy. It’s not possible to give an accurate estimate of the likely scale of this blow, because the research simply hasn’t been done, but one marker is that 7.7% of UK GDP comes from the digital sector alone. With tremendous economic damage from the Covid-19 pandemic already baked in, the UK now faces a potential double-whammy from a digital recession, precisely when digital is the one sector least affected by pandemic restrictions.
And what should you do about it?
Any organisation with operations in the UK needs to start work now on mitigating the consequences of a loss of adequacy. This means reviewing all cross-border data flows and either redirecting them or putting appropriate safeguards in place. In many cases this means examining data flows and business practices that have never been reviewed because internal data transfers within the EEA did not previously need consideration. This will be particularly prevalent when looking at supply chain relationships that were previously uncontroversial because both parties were in the EEA, and at internal ways of working, such as shared services, that previously offered obvious efficiency gains for the same reason.
It may be that appropriate paperwork – SCCs or BCRs – can be implemented, but this is not the work of moments and SCCs themselves are currently also the subject of litigation in the ECJ. It may mean looking for derogations under Article 49 and ensuring that the necessary safeguards and precursors have been implemented. Or it may mean changing business practices to limit or eliminate cross-border flows where this is less expensive or more achievable than legitimising them.
The answers will vary by organisation and use case. What’s abundantly clear is that a great deal of work is required against a background of considerable uncertainty, and that we have only six months left in which to do it.
If you’d like to hear more on this topic, follow Securys on LinkedIn.