THE BOTTOM LINE
“EU standards of data protection must travel with personal data when it goes overseas.” (Information Commisioner’s Office (ICO) statement following Schrems II, November 2020).
This should probably be our primary takeaway, but for context, and some pointers on how to achieve this…read on!
It started off quite simply. In 1995, as computers and the internet began their exponential rise to ubiquity, the EU Data Protection Directive – enshrined in the UK by the Data Protection Act 1998 – created the basic principles and legislative framework to protect individuals against the potential abuse of their personal data. Fifteen years on and it was already beginning to look creaky as new smartphones accelerated our online connectedness and smarter social media helped us all to splurge our online presence.
This was roughly the time when Big Data got, well, big.
Meanwhile, during the tail end of that same period, Max Schrems was filing a suit against Facebook for violating EU privacy laws (Schrems I). The main consequence was that, towards the end of 2015, the longstanding ‘Safe Harbour Privacy Principles’ – which had governed transatlantic data flows since the early 2000s – was torn up. The significance was profound. To spell it out, on the cusp of introducing new and far-reaching EU privacy legislation, the remaining fig leaf protecting the riptides of data flowing between the EU and the US had just been junked.
In the longstanding tension between technological advance and privacy it became clear that privacy was losing. It was time for something new.
First conceived in January 2012, by 2016 the EU had designed its solution: the General Data Protection Regulation
(GDPR) which (unlike its preceding Data Protection Directive
) would become law immediately upon adoption – on 25 May 2018 – throughout the Union.
The GDPR text begins with “The protection of natural persons in relation to the processing of personal data is a fundamental right.
” It puts the individual at the front and centre of privacy legislation while the articles and recitals it enshrines go further and harder than all of its predecessors.
It is, perhaps, unsurprising that similar legislation was being enacted in countries around the world, not least because the barriers to data exchange with these similar legislatures would be lower based on the so-called principle of adequacy
. Chile, Japan, Brazil, South Korea, Argentina and Kenya, and California in the US, all joined up.
The rest of America didn’t.
The United Kingdom, as a soon-to-be ex-member of the EU, enshrined the GDPR’s principles in the Data Protection Act 2018 – with a very close eye on the parameters of adequacy.
As the Safe Harbour initiative sank without trace, the ‘transatlantic alliance’ became acutely aware that it needed a mechanism to guarantee individuals’ privacy as their data flowed back and forth across the ocean. During 2016 the US and EU hammered out an agreement that finally made it into law. It was called the EU-US Privacy Shield
and contained instruments that provided sufficient convergence to deem ‘adequacy’ between the two blocs. It was finalised – and came into force – on 12 July 2016.
Data was on again.
Then, on January 25 2017, Donald Trump blew it up. He signed Executive Order 13768
entitled "Enhancing Public Safety”. Intended to support his (unconstitutional) immigration enforcement measures, it stated that U.S. privacy protections would not be extended beyond US citizens or residents – effectively removing the principles on which the Privacy Shield was founded
With its foundations scuppered, the Privacy Shield was wide open to challenge.
And challenged it was. By February 2017, elements of the original Schrems I decision (by now formally called ‘Data Protection Commissioner v Facebook Ireland’) alongside a slew of other claims, were on their way to the European Court of Justice (CJEU).
In December 2019 the CJEU issued its preliminary findings. They were ominous. On 16 July 2020 it struck down the EU-US Privacy Shield on the grounds that it did not provide adequate protection to EU citizens, and the European Data Protection Board went on to declare that “transfers on the basis of this legal framework are illegal”.
Which brings us to now.
A CLEFT STICK
Schrems II has put the UK in a very difficult position post-Brexit. Clearly we will want – need – an adequacy agreement with the EU to maintain the huge social and economic edifice based on the free flow of data. If we could negotiate it in isolation it would be fairly easy – we’re already part of the GDPR ‘family’ and comply with all of its requirements. However, the EU already looks askance at the Investigatory Powers Act, which it sees as divergent from the environment required to assure the sanctity of personal data, and this may yet stymie the adequacy agreement that we hope for.
Furthermore, if the UK further liberalises its data protection regime – for example to accommodate the US CLOUD Act, which prioritises US interests over foreign laws, this will further erode – perhaps terminally – the basis on which an adequacy decision could be made.
In the end, we probably can’t have our cake and eat it.
WHAT HAPPENS ON 1 JANUARY 2021?
At the beginning of this piece we established that “EU standards of data protection must travel with personal data when it goes overseas.” On 1 January 2021 the UK will be ‘overseas’ – and this will have ramifications for most of us who transact personal data, and all of us who receive personal data from the EU.
As you will have gathered, the defining concept, post Brexit, for the free exchange of data between the UK and elsewhere will be adequacy. The UK Government has already deemed transfers to the EU as continuing to be acceptable – on the assumption that they are GDPR compliant, which of course they should be – so the EU is ‘adequate’ for us.
Unfortunately the EU is yet to reciprocate, and even if we get a Brexit deal that includes adequacy as an ambition – bearing in mind it is most unlikely to be the case on day 1 – there will be a hiatus until the commission makes their adequacy decision. During that hiatus, as far as the EU is concerned, we will be a third country and the GDPR will be applied to us as such.
If you are certain that the data you collect and process begins in the UK, is stored in the UK and is consumed in the UK, then it is subject only to UK privacy law – which still requires that we observe all the tenets of GDPR, as enshrined in the Data Protection Act 2018 (the ‘UK GDPR’), in a domestic setting.
Transfers to the EU
If we collect data here and store or process it in the EU, and/or it is consumed in the EU and it does not return here – then there is no change as the UK Government has said they will impose no additional measures on outward transfers, deeming the EU to be ‘adequate’ (though this will remain under review).
Transfers from the UK to third countries
GDPR already requires that additional mechanisms, for example ‘Standard Contractual Clauses’ (SCCs) and/or ‘Binding Corporate Rules’ (BCRs) should be in place to ensure that the level of protection of personal data and the strength of its governance is equivalent to that required by the GDPR. A sort of ‘tactical adequacy’ if you will.
Transfers from the EU, or exchanges with the EU.
If we import or exchange personal data from or with the EU, there are significant changes. After 01/01/21 we will become a ‘third country’ and, in the absence of an ‘adequacy agreement’, the GDPR imposes additional requirements for the protection of personal data that is transferred here by EU countries including, for example, the use of SCCs and BCRs as mentioned above.
WHAT REMEDIES DO I HAVE TO CONTINUE MY BUSINESS?
Data Transfers from EU to UK
Until such a time that an adequacy decision has been reached, the ongoing transfer of personal data from the EU to the UK will become a ‘restricted transfer’ and will need some extra administration to enable it to conform to GDPR.
Identifying a Supervisory Authority or a Lead Supervisory Authority
If you import personal data from the EU you will need to identify the local supervisory authority – the body who regulates GDPR – in the country/countries concerned. Where personal data is imported from a number of EU countries, you can select a ‘lead supervisory authority’ – usually the supervisory authority of the country where most of their data subjects reside. It will be important to register with the authority and to fulfil their necessary registration protocols, including, for example, configuring your own processes accordingly and – belt and braces stuff – paying their registration fees if required.
Appointing a EU Representative.
If you do not have an EU office, this is a given. You should ensure that your chosen representative is fully empowered to act on your behalf in all matters pertaining to your processing ‘mission’, including, for example, processing data subject access requests. You must update your privacy notice to include details of their representation as well as how the personal data will be secured. You must also notify their appointment to your EU supervisory authority or lead supervisory authority. At the end of the day you should remember that they are your representative – you are still responsible for conforming to GDPR.
The Data Protection Officer (DPO)
If you are of sufficient size to require a DPO, you may consider co-locating them with your representative and/or lead supervisory authority or even establishing a second DPO in the EU if you already have one in the UK – though neither of these are requirements.
Standard Contractual Clauses
These have not, so far, been required for transfers within the EU or between countries with formal adequacy agreements; however, from January 1 2021 we will be a third country and, until we hear otherwise, one without an adequacy agreement in place.
The simplest way to carry on as close to normal as possible is by putting in place a contract between you and the sender on EU-approved terms, using what are known as standard contractual clauses (SCCs). Controller/Controller and Controller/Processor SCCs have been designed and approved by the EU Commission to provide the necessary safeguards for restricted transfers under GDPR. In nearly all cases, they will be the ‘go-to’ solution for small and medium sized enterprises for whom the transfer of personal data from the EU to the UK is key.
The ICO has already published a tool to help UK organisations identify the SCCs relevant to their business. It is available here.
Binding Corporate Rules
For larger and/or multinational corporate groups or undertakings, so-called Binding Corporate Rules (BCRs) can be used to underpin the continued use of restricted transfers. BCRs are contained within a legally binding, internal ‘code of conduct’ that governs the behaviour of all the entities who subscribe to it. They must be designed and drafted to ensure that corporate information exchanged beyond EU borders is subject to at least the same degree of protection of personal data as it would if exchanged within the EU.
The BCRs are submitted to a lead supervisory body (usually in the country where the head or coordinating office is based) and are reviewed and approved by that body along with one or two other supervisory bodies of countries where other entities in the corporate group are based. Once approved, restricted transfers within the group are deemed to have the same degree of protection as if they were governed by GDPR.
Data in transit
Data transfers that are routed from one EU country to another via a server in, say, Australia (or the UK) are NOT considered to have left the EU. Data transfers from the EU to the UK, regardless of the route they take are restricted and you must always consider that GDPR requires data to be “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”; and that (another reminder!) “EU standards of data protection must travel with personal data when it goes overseas.”
In either case, when transferring personal data it is clearly preferable that it is protected using HTTPS/TLS end-to-end encryption and/or individual file encryption.
Data at rest
This is perhaps the least clear-cut element: cloud computing and storage imply that data, including personal data, might be stored anywhere. Certainly AWS and Azure seek to counter how, in GDPR terms, this might be perceived by providing choices for geolocation.
AWS say “You choose the AWS Region(s) in which your content is stored and the type of storage. You can replicate and back up your content in more than one AWS Region. We will not move or replicate your content outside of your chosen AWS Region(s) without your consent, except in each case as necessary to comply with the law or a binding order of a governmental body.”
The other big providers claim similar facilities.
The problem is the last bit, in that the United States can effectively subpoena “all electronic communication service or remote computing service providers that are subject to U.S. jurisdiction, including email providers, telecom companies, social media sites, and cloud providers, whether they are established in the United States or in another country.”
This includes any foreign entity that has an office or subsidiary in the US. It’s what has led the EU to rescind the Privacy Shield and, to date, it is irreconcilable with GDPR. So, unless your cloud is hosted in the EU, and in a datacentre that is corporately unconnected to the US, the data remains at risk by these means.
It’s worth noting that, while the blanket coverage of the Privacy Shield is no longer valid, the use of SCCs with third countries, including the US, remains legal, albeit with ‘additional safeguards’ in place. On which note I leave you with this statement from the ICO, which includes the words:
“We reiterate our advice that organisations should take stock of the international transfers they make, and update their practices as guidance and advice become available.”
WATCH THIS SPACE.
Author Bio: Mark Phillips: Prior to joining the UK arm of GIDE
Market and Social Research, Mark worked in a range of government roles including policy and communications at HM Treasury, team leader of the award-winning i-Bio biotechnology portal at DTI and Director of Operations at the Department for Education’s Data Services Division.
Building on this experience, in 2013 he joined Software for Data Analysis (SDA) where he worked to extend their reach in the public and private sectors. He identified information security and data protection as key differentiators and worked to obtain SDA’s ISO27001 information security certification and, more recently, GDPR compliance.
Most recently he has leveraged this capability to help converge the technological acumen of SDA with the market and social research chops of GIDE, their sister company, to bring their combined expertise to the UK market.