OPERATION YELLOWHAMMER, THE series of measures and warnings from the UK in the event of a no-deal Brexit in October, made for some stark reading.
The leak, reported by The Sunday Times, laid out the litany of problems ahead from border checks to medicine shortages.
Amid the warnings, came a note on the status of personal data transfers between the EU and the UK that was quite clear:
“The EU will not have made a data decision with regard to the UK before exit. This will disrupt the flow of personal data from the EU, where an alternative legal basis for transfer is not in place. In no-deal, an adequacy assessment could take years.”
Data is the new oil, as the cliché goes, and plenty of people in industry and policy have been sounding the alarm over the movement of data since 2016.
The status of data transfers is understandably a few rungs down the pecking order of Brexit concerns when hard borders and food and medicine shortages are on the agenda.
But for several industries and sectors, from banking to SMEs, the pipeline of data between the UK and EU is a vital artery for business.
If it’s turned off on 31 October, there will be serious complications for European, and particularly Irish, companies.
Currently, data moving back and forth between the UK and other EU member states flows seamlessly.
As we barrel towards a likely no-deal Brexit in 71 days’ time, the UK will no longer be a member state and will become a third country.
The UK’s Information Commissioners’ Office has previously ensured that data moving to the EU from the UK will continue unabated, but the same can’t be said vice versa.
The transfer of data outside of the EU – and the EEA states of Norway, Liechtenstein and Iceland – to third countries comes with caveats.
Typically, adequacy decisions are used in these cases. An adequacy decision refers to the legal mechanisms that assess whether a third country has adequate data protection safeguards in place.
It can be a long-winded process involving proposals from the European Commission followed by reviews by the European Data Protection Board and approval from each member state. At that point the Commission will give the okay.
Adequacy agreements are in place for countries such as Japan and Canada and in the case of the US, there is the Privacy Shield pact.
If the UK leaves with no deal, there will be no adequacy agreement in place.
The UK already has EU-grade data protection laws on its books so in theory negotiating an adequacy agreement is doable, but it will not happen overnight.
If there’s one thing that’s been made clear over the last three years, it’s that deal-making is a slow process. As the Yellowhammer docs read, an adequacy assessment “could take years”.
A further issue is the approach to data protection that a third-country UK will take in the future.
“The problem is that post-Brexit the UK is free to change their data protection regulation and so may diverge from standards such as GDPR,” Jim Friars, the chief executive of the Irish Computer Society, said.
“The good news is that the UK has said it will continue to acknowledge the EEA member states as having an ‘adequate level of protection for safeguarding personal data’ however even this is not guaranteed given that these promises were made by the previous prime minister Theresa May.”
Standard contractual clauses
There are alternatives to explore, the chief among them being standard contractual clauses (SCCs).
These are clauses, approved by EU authorities, embedded in contracts between two parties that guarantee the rights of the personal data involved.
Irish companies transferring data to and from the UK or using UK-based data services will get tangled up in all of this.
According to Ireland’s Data Protection Commissioner, clauses can be “adopted by putting in place a stand-alone or new contract between the Irish-based controller and the UK-based recipient”.
“Any organisation using a UK company to provide any service or data warehousing for Irish businesses is likely to be making data transfers,” Friars added.
“Therefore in the absence of any adequacy deal, standard contractual clauses for data importers/exporters which are available from the EC should be put in place where possible.”
However, like all things Brexit-related, this has some complications. Standard contractual clauses are being challenged in the European courts by Max Schrems, the Austrian privacy activist and Facebook adversary.
In 2015, Schrems’ legal challenge led to the striking down of Safe Harbour, then an agreement between the US and the EU that ensured legal data movement.
Schrems claimed that the deal did not adequately protect EU residents’ data from US surveillance. It ultimately led to the introduction of its replacement Privacy Shield, which has come under much scrutiny from legal eyes too.
Now Schrems is embroiled in another legal challenge that is taking on the validity and safeguards of standard contractual clauses – many of which were put in place after Safe Harbour collapsed.
At the heart of the case is how the likes of Facebook use these clauses to transfer Europeans’ data to the US and other jurisdictions where data privacy rights may not be upheld.
Should the courts rule in Schrems’ favour and find that standard contractual clauses are not up to task, it will create even more headaches for businesses.