Helen Goldthorpe, associate and commercial IT lawyer at Leeds-based corporate law firm Shulmans LLP explains how data transfers between the UK and the EU may be stopped in their tracks post-Brexit
This article is the view of the author and not necessarily of Ready for Brexit
While much of the attention around Brexit negotiations has focused on the movement of physical goods, it is also important to consider the impact of the pending Brexit on data flows between the UK and the EU.
Under EU regulations, there are restrictions on the transfer of personal data outside the European Economic Area (EEA). In contrast, data transfers within the EEA borders are not restricted, which allows UK companies to transfer data freely within that area. In the event of the UK leaving the EU in a no-deal Brexit scenario, or likewise without any transitional arrangements in place, transfers between the UK and the EEA would be subject to the same additional regulations as those which currently apply to non-EEA transfers.
This, of course, has implications for any businesses that rely on transferring UK-hosted data to the EEA and vice versa, for example, multi-national groups. Due to the advent of cloud computing, it is not uncommon for personal data to be stored on servers situated in other EU countries, so this would need to be reviewed by firms in the event of a no-deal situation.
The position for businesses trying to plan ahead for a no-deal Brexit is also complicated by a case that is currently being heard in the European Courts. Those with long memories may be familiar with the name Max Schrems. In 2015, he challenged the way in which Facebook transfers personal data to the USA and successfully invalidated Safe Harbor, which was a mechanism that enabled such transfers. As a result, many businesses changed to another permitted mechanism, known as Standard Contractual Clauses (SCC) while waiting for what is known as ‘Privacy Shield’ to be implemented.
In turn, Max Schrems started legal action challenging the use of the SCC by Facebook. It is this litigation that is currently being heard in the European courts, with a judgment expected after the summer. This is particularly significant for businesses in the UK, as the SCC are one of the main mechanisms by which data transfers from the EEA to the UK would be permitted in the event of a no-deal Brexit. If the SCC are invalidated, then it will leave businesses in a difficult position with no obvious replacement.
The position in relation to outbound transfers after Brexit is likely to be more straightforward – the UK government has said that these data transfers will continue to be permitted, and the recipient in an EEA country will continue to be subject to GDPR. However, transfers back from the EEA to the UK (including the transfer back of data that were originally exported from the UK) are likely to be more problematic. Although GDPR will continue to apply, this does not automatically mean that transfers are permitted.
In theory, the EU could declare that the UK has an ‘adequate level of protection,’ based on its implementation of GDPR, to enable ongoing data transfers – and this type of declaration is already in place for a number of countries across the world. However, no discussions on putting this declaration in place will start until after Brexit and it is likely to take some time before any declaration is finalised.
For companies within multi-national groups, it is possible to put in place ‘Binding Corporate Rules’ to cover intra-group transfers, but it tends to be a complex and lengthy process to gain approval to do so. In addition, this would not help for transfers to third parties, such as cloud-computing suppliers. This is the situation where the SCC would usually be used. If the SCC are invalidated as a result of the Schrems case, this would add an additional and unwanted complication to Brexit planning.
Many suppliers are aware of this issue and give choices about where data is hosted. If you have this option, then it may be prudent to opt for UK-based hosting until the position becomes clearer. It is also worth bearing in mind that when Safe Harbor was invalidated, the regulators used common sense in giving companies time to move to an alternative solution. At this stage, we would suggest that businesses ensure that they understand how much data they store in the EEA and which suppliers will be impacted in order to move quickly if the need arises.