02 July 2019
Brexit, data flows and the Standard Contractual Clauses
Whilst much of the attention around Brexit negotiations has focused on the movement of physical goods, it is also important to consider the impact of Brexit on data flows between the UK and the EU.
Under EU regulations, there are restrictions on the transfer of personal data outside the EEA – unlike transfers within the EEA which are not restricted. In the event of the UK leaving the EU without any transitional arrangements, such as in a no-deal Brexit, transfers between the UK and the EEA would be subject to similar additional regulations.
This of course has implications for any businesses that rely on transferring UK-hosted data to the EEA and vice versa, for example, multi-national groups. Due to the advent of cloud computing, it is not common for personal data hosted to be stored in other EU countries rather than the UK, which would need to be reviewed by firms in the event of a no-deal situation.
The position for businesses trying to plan ahead for a no-deal Brexit is also complicated by a case which is currently being heard in the European Courts. Those with long memories may be familiar with the name Max Schrems. In 2015 he challenged the way in which Facebook transfers personal data to the USA and was successful in invalidating Safe Harbor, which was a mechanism which enabled such transfers. As a result many businesses changed to another permitted mechanism, known as the Standard Contractual Clauses (SCC) while waiting for a replacement for Safe Harbor, known as Privacy Shield.
In turn, Max Schrems started legal action challenging the use of the SCC by Facebook and it is this litigation which is being heard in the European courts this July, with a judgment expected after summer. This is particularly significant for businesses in the UK as the SCC are one of the main mechanisms by which transfers from the EEA to the UK would be permitted in the event of a no-deal Brexit. If the SCC are invalidated then it will leave businesses in a difficult position with no obvious replacement.
The position in relation to outbound transfers after Brexit is likely to be the most straightforward – the UK government has said that these transfers will continue to be permitted, and the recipient in an EEA country will continue to be subject to GDPR. However, transfers back from the EEA to the UK (including the transfer back of data which were originally exported from the UK) are likely to be more problematic. Although GDPR will continue to apply, this does not automatically mean that transfers are permitted.
In theory the EU could declare that the UK has an “adequate level of protection”, based on its implementation of GDPR, to enable ongoing data transfers, and this type of declaration is already in place for a number of countries across the world. However, no discussions on putting this declaration in place will start until after Brexit and it is likely to take some time before any declaration is finalised.
For companies within multi-national groups it is possible to put in place “Binding Corporate Rules” to cover intra-group transfers but it tends to be a fairly complex and lengthy process to gain approval for these rules. In addition, this would not help for transfers to third parties, such as cloud computing suppliers. This is the situation where the SCC would usually be used. If the SCC are invalidated as a result of the Schrems case this would add an extra complication to Brexit planning.
A number of suppliers are alive to this issue and give choices about where data is hosted. If you have this option then it may be prudent to opt for UK based hosting until the position becomes clearer. It is also worth bearing in mind that when Safe Harbor was invalidated, the regulators used a bit of common sense in giving companies time to move to an alternative solution. At this stage we would suggest that businesses ensure that they have an understanding of how much data they store in the EEA and which suppliers are impacted in order to move quickly if the need arises.