Brexit, Data, and the Rise of Privacy Brolly
Politico.eu ran a Brexit story yesterday that the EU Commission was working on an interim solution for cross-border data transfers to the UK. A short-term adequacy decision wrapped into the wider trade deal is being discussed. Not quite a “Privacy Shield”, but a “Privacy Brolly”. This is interesting as I first spelled out the need for some form of adequacy decision in the webinar I did with Tim Turner back in July 2016 and I coined the phrase “Privacy Brolly” at the time (you can find the recording of that webinar on our Brexit page). I even did the “Privacy Shield thing” of coming up with a logo for the any proposed future transfer mechanism long before the specifics of what it was or how it would work were known.
There are a number of practical problems with this proposed solution. The first is the fact that it doesn’t actually provide any certainty for businesses on either side of the post-Brexit data border. The second is that it doesn’t provide any certainty for businesses on either side of the post-Brexit data border. The third issue is it is tied up in the wider question of a trade deal being agreed. As the first two are technically the same problem (but so big they are worth mentioning twice), I’ll start by looking at the last issue first.
The Trade Deal
If Privacy Brolly is to be wrapped into a trade deal, there must first be a trade deal. And that appears to be as elusive as it ever was. Indeed, RTE’s Tony Connelly (one of the most consistently accurate reporters on all things Brexit) reported last night that many Member States were looking to have the No Deal contingency measures moved up. This follows a very gloomy assessment from the EU’s chief negotiator.
It appears that more member states are calling for No Deal contingency measures to be brought forward, and there is some suggestion – not confirmed – that these measures will go before the College of Commissioners tomorrow morning.
— Tony Connelly (@tconnellyRTE) December 8, 2020
So, no trade deal means no Privacy Brolly. No Privacy Brolly means reliance on alternative measures under Article 49 of GDPR. It also means that transfers for law enforcement purposes under the Law Enforcement Directive become similarly difficult.
At the time of writing, the trade deal is deadlocked in intransigence and an obsession with fish (which accounts for a whopping 0.1% of the UK’s GDP). Therefore, I would not hold my breath on any form of Privacy Brolly temporary adequacy decision arising through that route.
Brexit Privacy Brolly – the data protection challenges
When I first floated the idea of the Privacy Brolly back in 2016, the myth of Privacy Shield was newly minted and it hadn’t yet been struck down by the CJEU. Watson/Tele2 hadn’t been decided. But my sense was that some form of special type of adequacy decision would be needed. And here we are. Schrems2 has happened and Watson/Tele2 have happened and both of these create issues for any adequacy agreement with the UK, even a temporary one.
Watson/Tele2 found elements of the UK’s Investigatory Powers Act to be not compatible with EU law. The Commission cannot ignore this in making an adequacy decision. The reason for that is that Schrems2 requires an assessment of the equivalence of and adequacy of protections for personal data in the Third Country. Because the UK’s legislation has already been found to be incompatible with EU law while they were a Member State, it’s difficult to see how the hurdle of the Schrems2 tests can be cleared in a meaningful way that will not be subject to an immediate challenge.
This means uncertainty for any organisation that is engaging in transfers to the UK.
Another issue is the temporary nature of the adequacy decision. At six months it is, at best, a stay of execution for organisations who, to date, haven’t actually looked at the issue or who are having to reassess their approach to EU/UK data transfers post Schrems2. Time flies when you are struggling to reassess and rework data transfers and assess the inherent risk to data subjects arising from the transfer of their data to third countries. It’s important to note in this context that the EU Commission has chosen to emphasise the importance of the GDPR’s risk-based approach in their draft Standard Contractual Clauses post Schrems2. However the EDPB has taken a more puritanical and absolutist view in their draft guidance that any risk means no dice on data transfers.
The key question is this: If the Commission grants a temporary adequacy decision as part of a trade deal, and if that decision is limited to six months, what happens in Month 7? Two simple scenarios arise.
Scenario 1: Commission rolls the decision over
In Scenario 1, the Commission rolls their six month adequacy decision over for another six months (or perhaps longer). But, assuming nothing changes in the UK legislative environment in that time in either Primary or Secondary legislation, the original decision is still open to challenge under Watson/Tele2 and the two Schrems decisions. As this would be a challenge to a Commission decision, it would need to go to the CJEU. Organisations would wind up relying on a data transfer mechanism that is widely regarded as incompatible with EU law, is subject to a CJEU referral, and where the general direction of the Court’s jurisprudence in this area is clear. This introduces a significant degree of uncertainty with a large dollop of inevitability.
Of course, if things changed in the UK in a positive direction during the six months (e.g. amendments to the IP Act, changes to Data Protection Act 2018, better clarity on how the ICO will be an effective independent regulator post Brexit, a renewed commitment to Convention 108+, the Convention on Human Rights, and the European Court of Human Rights), this might be a workable scenario. But “if” is doing a lot of heavy lifting in that sentence.
It is more likely that there would be regulatory divergence within six months, most likely through secondary legislation. Back in 2017 I called this out in my contributions to the panel discussion on Brexit at CPDP (video of that can be found on our Brexit page). In that event, any roll over of a temporary adequacy decision by the Commission would be difficult as the applicable legal regime would have changed and diverged from that on which the adequacy decision was grounded.
Scenario 2: Commission terminates Adequacy decision after six months
This scenario assumes the Commission is playing realpolitik with this proposal. The temporary adequacy decision is granted for six months to either buy time for EU organisations to find alternative grounds for transfer or to move their data processing operations or in the hope that reality of the impact of data transfer issues post-Brexit will sink in with their counter-parties. After all, the personal data processed in the financial services and insurance sectors that hasn’t already been moved will need to be migrated. That takes a few months to do. If people come to their senses that might not need to be done. Either way, time is needed for adjustments to be made somewhere. And six months is short enough that, even if a challenge is mounted, the issues affecting adequacy will be solved before it gets to the CJEU or the plug will have been pulled.
So, at six months the Commission sees no progress has been made on addressing issues. This should come as no surprise to them as the UK has spent over two years ignoring issues to date in Brexit. Therefore, the Commission pulls the plug on the temporary adequacy decision. But, the UK will argue, “NOTHING HAS CHANGED SINCE WE WERE TOLD WE WERE ADEQUATE IN JANUARY 2021!!”. (This assumes no fecking around by the UK through primary or secondary legislation for six months).
What happens next depends on what dispute resolution mechanisms are baked into the trade deal (which we are assuming, against all evidence, will exist). However, as a decision of the EU Commission can only be over-turned by the CJEU, it will likely require a referral to the CJEU by the United Kingdom of the decision not to renew the Adequacy decision.
The CJEU. The court the UK wants to be free from the jurisdiction of.
This would effectively result in a stay of the Commission’s decision until a determination was made. Which brings us back to the period of uncertainty in Scenario 1 where organisations might be relying on a data transfer mechanism even the EU Commission says isn’t effective for data transfers pending a decision of the CJEU on that Commission decision. A decision which will need to consider (amongst other things) the case law in Watson/Tele2 and Schrems2. Therefore, even if Privacy Brolly was to come to pass, it should only be considered a band-aid, not a solution.
So, what next really for Data Protection post-Brexit?
The only truthful answer is we really don’t know. There are an abundance of things which are in motion at the moment which will affect the final outcome. What we do know is that:
- The UK will be a Third Country outside the EEA in 22 days time.
- Anyone in the EU sending data to a UK-based processor (or indeed Joint Controller) will require a legal basis for that transfer under GDPR (and under the Law Enforcement Directive). Standard Contractual Clauses might be it (but the current pre-GDPR ones, not the proposed draft updates… because they haven’t been approved yet).
- Irrespective of the transfer mechanism that you use, EU-based Controllers will need to pay attention to the additional measures they take to ensure appropriate safeguards for data transfers based on the likely areas of risk inherent in the processing activity and resulting from the assessment of the legal regime in the Third Country.
- Regulators may adopt an absolutist approach, they may not. But no Controller wants to be the one that makes legal history finding out.
- You may need to appoint a Nominated Representative in the EU if you are a UK-based Data Controller. At the very least, you should document your assessment of why you believe you don’t need one (because not everyone will).
- Likewise, you may need to appoint a UK-based NomRep if you are an EU-based controller targetting the UK market. Again, you should document your assessment of why you believe you don’t need one if you aren’t appointing one.
- You will need to understand the chains of onward data transfer that may be happening in your data ‘supply chain’ – and this includes employees working in the UK for EU-based Controllers (and vice-versa)
At less than 12 working days before Christmas it is probably too late for organisations who haven’t yet taken steps to address their Brexit risk to do anything substantial. However, the Zen proverb is that the while the best time to plant an oak tree is twenty years ago, the second best time is today. At this late stage, waiting for certainty is not a viable strategy and organisations need to start implementing a plan to identify, manage, and mitigate their compliance risks arising cross-border transfers post Brexit.
How can Castlebridge help your organisation?
Castlebridge can help organisations who are struggling to get their heads around the operational and potential brand risks arising from data protection and Brexit. We have a range of advisory and NomRep services we can offer. Get in touch to find out how we can help!