16 September 2019

After Brexit – solving the border problem in a data driven world

It is 7am on 1 November 2019. A notification flashes on your mobile: 'Brexit delivered'. Despite years of political posturing, neither the United Kingdom nor the European Union could agree on a plausible deal. You need coffee.

[Sometime later …]

You are now half way through your third coffee and the consequences of a 'No-Deal' Brexit are giving you a mild headache. 

The data protection officer in your London office has confirmed that the UK is now deemed by the EU to be a 'third country' and they have asked you to confirm whether data flows from the Guernsey and Jersey offices to the UK will continue to be lawful. 

You need another coffee (and an aspirin).

***********

One would be forgiven for thinking, in today's increasingly interconnected digital world, that data transcends borders.  In practical terms, for example, an email can be sent from an office in Glasgow and, seconds later, be delivered to an inbox in Manila. What is often overlooked is the legal framework which enables the free flow of data cross border. Over recent years we have seen a proliferation of legal challenges to that framework including court action concerning the validity of data transfers to the US from Europe (under the now defunct 'Safe Harbor' mechanism and its slightly more muscular relative, 'Privacy Shield'). 

And now there is Brexit together with the uncertainty regarding whether the UK will leave with or without a deal  

If the previously unthinkable happens and a no deal Brexit is the outcome, what happens from a data protection perspective? In particular, where does such an outcome leave an organisation based in the Channel Islands, whose main business operations require the sizeable, uninterrupted and unencumbered flow of data to the UK?

To attempt to understand the issues, one must rewind the clock to 1980 (four years before Steve Jobs unveiled the first Macintosh computer and nine years before the Internet's "Big Bank"[1]).

It was in this year that the Organisation for Economic Co-operation and Development (OECD)[2] developed their 'Guidelines on the Protection of Privacy and Transborder Flows of Personal Data'.  These guidelines introduced a set of model principles to be followed by data controllers.  These recognised the importance of enabling the free flow of information between member countries to avoid creating "unjustified obstacles to the development of economic relations among member countries".  Whilst the guidelines recommended that member states should not restrict transborder flows between themselves, they could impose restrictions on the transfer of information to other countries.

This formed one of the founding tenets of European data protection law and is still relevant today under the General Data Protection Regulation (GDPR).  But where there are borders, there are restrictions.

General principle on transfers

Both the GDPR and Channel Islands' data protection laws prevent controllers and processors ("Data Exporter") from transferring personal data to any third territory, jurisdiction or 'international organisation' which is outside of the European Economic Area or EEA ("Recipient") unless:

  1. the Recipient ensures an adequate level of protection for the personal data as determined by the European Commission (often referred to as an 'adequacy decision'); or
  2. in the absence of an adequacy decision under (a), the Data Exporter puts in place appropriate safeguards that enforceable data subjects rights and effective legal remedies for data subjects are available; or
  3. in the absence of either (a) or (b), the Data Exporter is able to rely on one of the recognised derogations to legitimise the transfer.

These restrictions have the effect of creating a barrier in respect of certain jurisdictions, depending on the adequacy of their data protection regimes.  The effect of these restrictions is that:

  • Transfers of personal data to a country within the EEA (comprising each of the European Member States as well as Iceland, Liechtenstein and Norway) are unrestricted;
  • Similarly, any data transfers to a jurisdiction which holds an adequacy decision[3] are permissible (such as the Bailiwick of Guernsey and the Island of Jersey and those US companies who have signed up to EU-US Privacy Shield); and
  • Transfers of personal data to a Recipient who has not received an adequacy decision will not be permitted unless the Recipient can demonstrate that a suitable safeguard or derogation applies.

So where does this leave the UK post Brexit? 

If the UK leaves the EU on the terms set out in the withdrawal agreement, negotiated by Theresa May's government, Brexit would not have any immediate impact on data flows to the UK.  This is because the terms of the withdrawal agreement provide that the GDPR would continue to apply until 31 December 2020 (a period which may be extended, by joint agreement of the UK and EU, for a further 2 years[4]) and during that time the UK could apply for an adequacy decision.  In essence, therefore, the status quo would be preserved until the UK government obtains an adequacy decision. 

A 'No Deal' Brexit, on the other hand, poses a different set of challenges.  If the UK leaves the EU on 1 November 2019 without a deal, it will (for EU purposes) become a 'third country' – the UK would essentially fall into the third category of Recipients above – those without an adequacy finding, meaning that transfers of personal data from the EU and the Channel Islands into the UK would not be permitted unless the Recipient can demonstrate that a suitable safeguard or derogation applies.

What counts as an 'appropriate safeguard' or 'derogation'?

In essence, an 'appropriate safeguard' provides a longer-term solution for regular, systematic data sharing. Intragroup transfers is a good example of this.  For example, if one company has outsourced its payroll functions to another company within the same group, putting in place a safeguard would be an appropriate way of ensuring that the regular sharing of personal data is adequately protected. In contrast, a derogation may be appropriate for an irregular or one-off transfer where the transfer is necessary but not routine.

Safeguards:

Each of the GDPR and the Channel Islands' data protection laws make provision for a number of 'safeguards'. These include the use of:

  • Approved codes of conduct and certification mechanisms;
  • Binding Corporate Rules (BCRs); and
  • Standard Contractual Clauses (SCCs – sometime referred to as 'Model Clauses'). 

However, while approved codes of conduct and certification mechanisms have the potential to provide organisations with greater flexibility, neither option is available at the time of writing.

Channel-Island businesses deploy BCRs and SCCs frequently. BCRs have been recognised as a form of safeguard for many years and are often considered to be the most robust mechanism for transferring data in an intragroup scenario.  In simple terms, BCRs are a comprehensive set of data protection policies based on European privacy standards that are voluntarily adhered to by, more typically, each undertaking within the same group. To this end, they compensate for a lack of data protection in a third country which has not been deemed by the European Commission as 'adequate'. BCRs are also a practical and flexible solution to many of the jurisdictional complexities arising when transferring personal data cross border.  There is, however, a caveat.  Under the GDPR every BCR must be approved by a competent lead data protection authority.  As such, BCRs are not a 'quick fix'.  If your group does not already have BCRs in place (or has not taken steps to ensure that BCRs are in place by 31 October 2019) this solution will likely not be available in time.

The most popular transfer mechanism we see is the use of SCCs.  SCCs are a set of pre-approved clauses that the European Commission has authorised for use as a contractual means of ensuring that both the Data Exporter and Recipient can safeguard personal data in accordance with EU standards. There are at present three sets of SCCs – two governing the transfer of data between controllers and one set governing the transfers between a controller and its processor.  There are currently no SCCs governing transfers between a processor to a sub-processor. 

The advantage with SCCs is that they can be implemented without needing to wait for the prior approval of a data protection authority and can simply be appended to existing data sharing and processing agreements.  The disadvantage is that they cannot be amended,  so any amendments of a bespoke nature would need the approval of a data protection authority. 

This sounds complicated - why can't the UK merely apply for an adequacy decision?

In essence, the UK's proposed departure from the EU has come at an interesting, if somewhat turbulent, time. The UK can and almost certainly will apply for an adequacy decision; however, it is not yet clear how long the EU will take to determine if the UK is 'adequate' or not.  Simply put, adequacy decisions take time to process and it is possible that the UK will have to form an orderly queue behind the other jurisdictions currently awaiting a determination. 

Additionally, despite the fact that the UK has already implemented its own GPDR-equivalent legislation, it could still encounter hurdles to obtaining an adequacy decision.  This is because the UK has some of the widest-ranging surveillance powers in the western world. The European Commission is particularly sensitive to this issue following the revocation of Safe Harbor in light of the Snowden revelations and the legal challenges mounted by Maximillian Schrems. 

Moving personal data across the English Channel

Against this turbulent backdrop, it may come as surprise that the Channel Islands are presently unaffected by this issue.

Both Jersey and the Bailiwick of Guernsey have adequacy status and have also implemented legislation to permit Channel Islands' companies to transfer personal data until the end of 2020 (to coincide with the exit date proposed under Theresa May's withdrawal agreement). 

However, there is a 'but'.  To the extent that the European Commission rules on the UK's adequacy before the expiry date set in Jersey and Guernsey's legislation (i.e. before 31 December 2020), Guernsey's Data Protection Authority has confirmed that it would ask the States of Deliberation in Guernsey to revoke the legislation so that the ability to transfer data to the UK with this approach would cease.  It remains to be seen what Jersey would do in a similar situation.

Furthermore, whilst this legislation legitimises the transfer of personal data under the local data protection regimes – it does not extend to the GDPR.  

There may, for example, be circumstances where a Guernsey or Jersey company is subject to both the local data protection law and the GDPR itself (by virtue of the GDPR's extraterritoriality provisions).  In these circumstances, local companies will still have to consider which transfer mechanisms they can rely on under the GDPR in order to enable the lawful transfer of data to the UK. 

In both scenarios, an alternative data transfer solution would need to be considered.  The European Data Protection Board has published a guidance note in this regard which can be found at: https://edpb.europa.eu/our-work-tools/our-documents/drugo/information-no...

For all these reasons, SCCs are likely to remain the most practical solution to allowing data transfers but some caution should be exercised due to potential changes on the horizon.

The future of SCCs – trouble on the horizon? 

As with many aspects of data protection, there is a back-story.  There are also actors, a stage and costume changes. This particular story involves some, now infamous, characters.

In June 2013 Edward Snowden made a number of unauthorised disclosures, revealing that the US National Security Agency (NSA) had been conducting surveillance on individuals on a mass scale.  Questions soon followed regarding the robustness of the US's 'Safe Harbor' Framework (which legitimised data flows from the EEA to the US), with some allegations that the participants of Safe Harbor were also involved in the NSA's surveillance activities. Following calls from privacy activists and data protection authorities, the European Commission had no option but to reopen discussions with the US government to address the criticism.

Following dialogue with the US, the Privacy Shield (Safe Harbor's replacement) was 'born'.  Since its introduction, Privacy Shield has flirted with controversy.  In particular, the Article 29 Working Party (now replaced by the European Data Protection Board) observed that, in addition to concerns that the redress mechanism for data subjects was complex and unwieldy, the agreement did not expressly exclude the mass and indiscriminate collection of personal data by US intelligence agencies from the EU.

Against this backdrop, Max Schrems, a (then) law student and somewhat unlikely protagonist, entered stage left.  Mr Schrems made a series of formal complaints regarding the operation of Safe Harbor. Mr Schrems originally complained that Facebook Ireland (the data controller for Facebook's European subsidiary) could no longer rely on the Safe Harbor Framework to legitimise the transfer of his data to the US as result of the NSA's activities.  Facebook argued that, rather than having relied on the Safe Harbor Framework, they had in fact relied upon SCCs as an alternative mechanism. Mr Schrems also complained about the SCCs. The Irish High Court (via the Irish Data Protection Commissioner) raised a series of questions to the European Court regarding the effectiveness of the SCCs and in particular the allegation that the US's handling of European data citizen's data was a contravention of the data protection mechanisms guaranteed as a fundamental right of EU law.  The outcome of this decision is pending and could have wide-reaching impacts on the validity of the SCCs and the Privacy Shield itself.

The European Court is due to publish its decision early next year (often referred to as the Schrems II judgment). Crucially, in the event that the European Court determines that the SCCs and/or the Privacy Shield Framework are invalid, this may result in all existing transfers that have been based on the SCCs and/or Privacy Shield Framework being found to be invalid.  As such, any business which has sought to rely on SCCs to legitimise their transfer of data to the UK in a post-Brexit world could end up having to re-visit their transfer mechanisms again in the New Year.

There is, however, a glimmer of hope.  The EDPB has confirmed that they are in the process of modifying the SCCs in the light of the GDPR and these are also expected, in the New Year.  Let us hope that the two coincide to avoid what might otherwise be a huge headache for business!

Overall, Channel Islands businesses need to be aware of the present situation and the potential changes which might impact significantly on how and where they process their data. They will need to look afresh at their data protection compliance and transfer mechanisms in the coming months, potentially more than once. Hopefully, however, there is maybe good news ahead, with a new set of SCCs in the offing and resolutions (hopefully) to end the speculation regarding the status of Privacy Shield and Brexit. 

In the meantime, we recommend that all CI businesses revisit their data maps; review their data transfer mechanisms with third party counterparts; update their privacy notices and internal policies and, maybe, reach out for something slightly stronger than coffee…

 

An original version of this article was published by Compliance Matters, September 2019.

© Carey Olsen 2019.

--------------------------------------------

[1] http://content.time.com/time/specials/packages/article/0,28804,1902809_1902810_1905184,00.html

[2] in conjunction with the Council of Europe

[3] At the time of writing, the Commission has recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the USA (limited to Privacy Shield Framework) as providing adequate protection.  Adequacy talks are ongoing with South Korea (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en)

[4] Article 132 of the Agreement on the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community, as endorsed by leaders at a special meeting of the European Council on 25 November 2018