PREPARE FOR IMPACT: the Consequences of a "No Deal" Brexit on Data Protection Regulations
A FEW DAYS AGO, a company in Germany contacted its service provider in the United Kingdom. "We demand all our company data to be moved out of the United Kingdom and into the EEA," the customer stated, concerned about the legal implications of a no deal Brexit. "Furthermore, no more data may be processed after Brexit by your London support desk; it must be managed by individuals within the EEA."
Since the service provider's main support office is located within the UK, and since the definition of "processing" means anything from "retrieving and storing data" to "looking at it" -- this demand creates a troublesome hurdle to overcome post 29 March. What should the service provider do? And can a similar scenario impact you? Let's look at this together.
Determining Brexit Exposure to Regulated Data
Many are concerned about the consequences of a no deal Brexit, including its impact on fishing regulations, airline flights, end-to-end manufacturing supply chains, and so on. But the impact of Brexit to service providers such as cloud operators between EEA/UK entities will be consequential if no preparations are made by 29 March. Will customers in the EEA insist action to be taken, such as moving data back into the EEA, or demanding adequacy measures?
In a simple word, yes.
Regulated EEA data, transferred outside the EEA (i.e. where data will be held on servers abroad, which can include emails or attachments containing personal data) must be made lawfully. The recipient organisation must "ensure an adequate level of protection" for personal data and the rights of individuals in respect to their personal details. For instance, a company in Paris employing a service-provider in London must take action immediately to ensure it has a lawful basis to transmit regulated data into the UK. In essence, if you're a company in the United Kingdom, do not be surprised if you are the recipient of requests to:
Move data out of the UK; or
Sign a legal instrument called a Standard Contract Clause; or
Submit to an audit to prove adequate safeguards have been employed regarding the protection of personal information; or
All of the above.
The Information Commissioner's Office (ICO) of the United Kingdom has issued a similar advisory to UK-based companies.
Concerns from the UK's Information Commissioner
The United Kingdom’s Information Commissioner recently published her advice about how to be prepared for a possible no deal Brexit. While personal and sensitive information will not be restricted from flowing from the United Kingdom into the EEA, the inverse will be prohibited without new measures being taken prior to 29 March 2019.
"Transfer of personal information from the EEA to the UK will be affected,” says Elizabeth Denham, Commissioner of the ICO. “Organisations will need to carefully consider alternative transfer mechanisms to maintain data flows.”
To provide context of the problem, once the UK exits the EU/EEA, it will need to submit an application to the European Commission to receive an “adequacy ruling” which will take time and face obstacles. To date, eleven countries have gone through this process, such as New Zealand, Switzerland, Canada and others. But the process takes time, and the application for an adequacy ruling can only be submitted once the UK has left the European Union.
During this transition period, there will be a regulatory gap with an effect that will freeze all EEA-to-UK data transfers. And without a decision of adequacy, it will be illegal for EEA companies to transfer personal and sensitive data to the United Kingdom without alternative transfer mechanisms. As of this writing, I am hearing from customers who are greatly concerned about this, and some are demanding their data be moved out of the UK in an abundance of caution.
So what can be done? There are two options to consider; the first option is an obvious but extreme measure that some cannot easily accommodate.
Move EEA Regulated Data from the UK to the EEA. This may not be possible or practical, but some customers may demand their EEA data be stored within the EEA, including any processing operations. Does your company have the capability to accommodate this request if pushed? If not, there are other mechanisms that can be employed when the customer permits it.
Implement EU Model Clauses. A straightforward approach to legitimizing transfers of regulated data from the EEA to the UK is to implement EU Model Clauses, specifically Standard Contractual Clauses (SCCs). These legal instruments bind the receiving organisation to respect data protection principles. The process is similar to the steps currently taken to legitimize the transfer data from the EEA to other non-adequacy countries such as the United States, involving the employment of legal instruments and assurances of implemented safeguards for the protection of personal data.
When possible, I advise customers to aim for option 2; it is a straightforward process and consists of compliance paperwork rather than migrating databases and support desks. However, even if your customer insists you to migrate data back into the EEA, option 2 may still apply, such as having a UK-based customer support desk. For instance, if a support engineer opens a customer ticket whilst sitting in the UK, then regulated data would be “processed” in the UK when someone just "looks at it," and SCCs would be necessary to legitimize that activity.
Beyond options 1 or 2 above, there are other measures you will likely need to take; this is examined next.
Update Your Data Processing Agreements
You may need to update your Data Processing Agreements, both existing DPAs and your general DPA template. Any processor in the UK must now be treated as residing in a country that has not received a decision of adequacy by the European Commission. If your DPA contains a table of subprocessors describing their locale and adequacy, this will likely need updated as well.
Re-Evaluate the EU-US Privacy Shield
For those employing the EU-US Privacy Shield framework to transfer data between the UK and the United States, you'll be impacted as well. Since the UK will no longer be in the EU, the UK can no longer benefit from this framework as it become "uncoupled" from the EU programme. You'll need to make changes to your website privacy notice too, including changes to the way your organisation shares information internally, both customer information and employee personal information.
Update Your Website
I also recommend your organisation create a dedicated page on your company's website that explains how you're are preparing for a no deal Brexit, including what it means to your customers and data subjects, and how customer data will be legitimized and protected legally, administratively, technically and organizationally.
Furthermore, your website's privacy notice may need updated. Be sure to re-evaluate what's been written, and ensure it's revised to align to a post-Brexit world.
Get Prepared Now Because Time is Short
Without getting into the weeds, there are more details that can be shared, and I'm cautious about listing them all here. For instance, if you have many legal entities globally distributed, including those in the UK, you may need focused assistance to ensure adequate transfer mechanisms are in place so that customer information and HR information can legitimately flow between your legal entities. Reach out to me if you'd like more information about that, including employing Binding Corporate Rules (BCRs).
The window of time to complete these activities is extremely short! Take an inventory of what needs done, get working, and enroll competent help if the job's too big. But don't risk the loss of customer confidence, regulatory penalties and reputational damage by doing nothing.
About the Author
Scott Allendevaux is a senior partner and data protection specialist at a data protection and regulatory compliance firm (www.allendevaux.com). He specializes in compliance with international regulations for data privacy and information security, and leads the company's cybersecurity practice. He may be contacted by emailing firstname.lastname@example.org.