Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries. This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation.
On leaving the EU, the UK becomes a 3rd country and thus the cross border legal controls mandated by the GDPR (and its predecessor Directive) come into play. Personal data may not be sent to 3rd countries without “adequate safeguards”. The simplest, and safest safeguard is when the Commission has made an adequacy finding on country; it deems the legal regime to be adequate to protect the fundamental rights of European Union citizens. It will take time, many years, to make such a finding, unless it’s accelerated or agreed as part of the “divorce” agreement. It might happen since the UK Parliament is considering the implementation of the GDPR via the Data Protection Bill. All this is covered in the House of Lords Brexit Committee report on Data Flows.
In Schrems vs. Facebook 2013, see “… Schrems vs Facebook, in under 300 words”, the Court of Justice of the EU (CJEU) struck own the US adequacy agreement because there is no Data Protection law in the USA, intelligence services can obtain personal data without a warrant and there is no restriction on what law enforcement agencies do once they have this data. The upshot of this finding is that the Safe Harbour agreement was voided and many companies moved to ensure their data flows were protected using alternative “adequate safeguards”. These are known as “standard or model contractual clauses” to govern inter-company transfers and binding corporate rules for intra-company transfers.
Schrems is nothing if not persistent and is returning to court. It’s his lawyers view that standard contractual clauses are not good enough if the law of jurisdiction creates obligations on companies to break these agreements. It is the central due diligence that the Commission must make when performing adequacy decisions, that the law provides protection for the fundamental rights of EU citizens. It seems to me unlikely that the CJEU will deem data in the US safe. For an explanation of the state of US law, see Ashley Gorski’s expert witness testimony to the Irish court. The risk is that the alternative adequate safeguards are deemed insufficient.
The good news is that A29WP has given the US Privacy Shield a clean bill of health, for another year but it has been shown before, that the Court may well disagree with other bodies of the European Union. The CJEU may strike down both the model clauses, and the Privacy Shield.
The court ruling on Schrems vs Facebook 2.0, will determine the relationship between the EU and USA but for the UK, if we become a 3rd country, the UK will no longer be covered by the Privacy Shield, nor by an adequacy ruling, it may loose the ability to use alternative safeguards and will lose the ability to implement national security derogations from the GDPR. i.e. while in the EU we can claim that national security is not an EU competency, but as the House of Lords states in its report,
The UK could find itself held to a higher standard as a third country than as a Member State
There is further jeopardy to trade/exchange caused by the UK’s Investigatory Powers Act which permits similar warrantless surveillance as occurs in the USA, but also in the UK Intelligence services sharing arrangements which are not supervised by a Court, or anyone really. Adequacy rulings are also concerned that EU citizens data will not leak to a low protection jurisdiction.
Is this just fear-mongering? If we leave, to continue to share with and most importantly receive data from the EU, we need an adequacy agreement; alternative safeguards are in jeopardy and our police/intelligence service powers may jeopardise getting an adequacy ruling. Our exclusion from the US Privacy Shield may encourage US companies to move their offices into the EU. Our service business relies on data! There’s little doubt that many companies will need to send more jobs (and data centres) to Europe. (I wish I could go with them.)