Transferring personal data internationally has become more difficult in recent days. The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield, an EU adequacy decision that allowed data to flow freely from the UK and EU to more than 5,300 companies in the US.
At the same time, it made reliance on standard contractual clauses (SCCs) – the obvious alternative to Privacy Shield – more onerous. It requires assessments by businesses of legal regimes in the countries to which the data is to be exported and “appropriate safeguards” to be put in place if the legislation in the country of destination is found wanting.
Regulators will now be expected to police international transfers much more rigorously than they have done in the past. Commentators fear that data transfers from the EU and UK to the US are now effectively prohibited, although it should be emphasised that the CJEU did not say that EU or UK to US data flows should stop.
Businesses in the UK and the US may be asking themselves what Brexit – which ends the application of the EU’s treaties in the UK – might mean for UK-US data flows, and whether it will make exchanging data with the US easier.
The General Data Protection Directive (GDPR) will cease to apply to the UK at the end of the transition period on 31 December 2020, when the UK will no longer be subject to EU law. However, this does not mean that the UK will have a free hand in the data protection arrangements it puts in place with non-EU countries, including the US.
The UK is negotiating an adequacy decision with the EU. If the EU decides that the UK’s legal arrangements are “essentially equivalent” to those in the EU, an adequacy decision would allow the free flow of data from the EU to the UK to continue after the transition period has ended.
An adequacy decision will also limit the UK’s ability to agree new arrangements for data transfers with non-EU countries. This is because any significant changes to the UK’s data protection regime, in particular lowering standards of protection, could jeopardise the UK’s status as being adequate for EU-UK data flows. The EU can revoke an adequacy decision if the country in question no longer provides an essentially equivalent data protection regime to that in the EU.
Even if the UK were to lose its status as being adequate for EU-UK data flows at some point in the future, the UK has undertaken to ensure a level of protection of personal data essentially equivalent to that in the GDPR, at least for data that came from the EU before the transition period ended.
The UK is intending to adopt the GDPR as national law at the end of the transition period. This means that UK-US data transfers will have to meet the same exacting standards currently required under the GDPR in order to transfer data to the US.
Nonetheless, there is real nervousness in the EU that the UK could end up as a “back door” through which EU data is passed to the US without adequate protections, as the final paragraphs of this letter from the chair of the European Data Protection Board to the European Parliament make clear.
Reading the opening negotiating positions of the US and the UK in the post-Schrems world is interesting. Both sides emphasise the need to enable the free flow of data and the undesirability of data localisation laws that require personal data to be stored in the country where it was collected.
The US government’s summary of negotiating objectives for a UK-US FTA states that the FTA should “establish state-of-the-art rules to ensure that the UK does not impose measures that restrict cross-border data flows and does not require the use or installation of local computing facilities”.
The UK’s policy paper on a future UK-US FTA emphasises the importance of “maximising the UK’s reach in emerging fields like global data flows and artificial intelligence”. It states that the FTA should “include provisions that facilitate the free flow of data, while ensuring that the UK’s high standards of personal data protection are maintained and include provisions to prevent unjustified data localisation requirements”.
The Schrems II decision would appear to make delivery of the UK’s and US’s negotiating objectives more difficult. The advocate general’s opinion in Schrems II emphasised that pragmatism was needed in order to “on the one hand…allow interaction with other parts of the world…and on the other hand…to assert the fundamental values recognised in the legal orders of the Union and its member states, and in particular in the charter [of fundamental rights]”.
However, the consensus appears to be that the CJEU failed the test of pragmatism, creating unrealistic expectations that businesses will be able to make robust assessments of legal regimes in third countries and assess transfers on a case-by-case basis.
The reaction of the UK government and the UK regulator for data protection, the Information Commissioner’s Office (ICO), reflected their shared concerns to ensure that international data flows are not disrupted. The UK government’s statement emphasised that it “remains committed to supporting UK organisations on international data transfers”. The ICO struck a similar note, saying it was considering the impact of the judgment on international data transfers, which it stated are “vital for the global economy”.
The ICO also stated that transfers taking place in reliance on Privacy Shield should continue for now. This echoed the US Department of Commerce’s response, which stated that companies relying on Privacy Shield should continue to abide by their obligations and emphasised that “data flows are essential not just to tech companies – but to businesses of all sizes in every sector”.
If data localisation is undesirable to the US, it is even more problematic for the UK. Brexit has often been discussed as the process of making the UK into a “global trading nation”. Creating barriers to trade through onerous requirements in data protection law sits uncomfortably with that ambition.