World moves to patch Brexit hit to UK data flows
6 March 2019. By Matthew Holehouse*
The EU has taken a hard line over data transfers if the UK leaves the bloc without a deal on March 29: It has been clear that it won’t grant the UK an "adequacy" decision to permit free flows of personal information.
Less clear is the fate of data flows beyond Europe, given that the UK will also no longer be party to a web of agreements governing transfers between the EU and other major jurisdictions around the world.
Here, though, there are signs that overseas regulators are taking a more pragmatic approach than the European Commission. Since January, there has been a spate of activity to minimize the damage by privacy regulators in some of the 13 states covered by adequacy agreements.
Their stance shows a greater willingness to take on trust that the UK will remain fully aligned to EU standards.
Should the UK government manage to get lawmakers to ratify a withdrawal deal in time and the country enters a Brexit implementation period, it will continue to be treated as an EU state as long as that period lasts, meaning no new restrictions on flows of personal data.
The EU has said it will work to have an adequacy decision, recognizing the UK’s data protection standards as equivalent to its own, in place by the projected end of the transition period in December 2020, but the outcome of the procedure can’t be prejudged.
But in the event of a no-deal Brexit, the European Commission insists it won’t put in place an adequacy decision. That’s part of a strategy of only putting in place remedies in the most urgent fields and where the private sector alone can’t address the problem.
In such a scenario, companies wishing to transfer personal data across the English Channel will need to put in place the same burdensome safeguards as other “third countries,” including the adoption of standard contractual clauses.
In addition, the UK will no longer be covered by the EU’s adequacy decisions covering the US, Japan and Switzerland along with 10 other countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand and Uruguay.
The UK plans to replicate the EU’s system of adequacy agreements through secondary legislation made under the EU (Withdrawal) Act. This will regulate the continued export of data from the UK to other states under domestic law.
Getting such a system in place will be a factor in the UK securing an adequacy agreement from the EU: the commission will want to see measures in place to prevent the onward transfer of Europeans’ personal data from the UK to an unsafe jurisdiction.
When the EU’s General Data Protection Regulation came into force last May, it embodied the standards necessary for data adequacy; the UK aims to replicate the GDPR in domestic law with the Data Protection, Privacy And Electronic Communications (Amendments Etc) (EU Exit) Regulations 2019.
This domestic regulation, to be renamed “UK GDPR,” will transfer powers exercised by the commission to UK regulators, including the power to grant adequacy assessments.
It will also replicate the EU’s adequacy decisions with the 13 states in domestic law, permitting data flows from the UK to carry on as before. In addition, it recognizes the EU as adequate.
The notes accompanying the regulation stress, however, that this is unilateral: a one-way measure that permits the flow of data from the UK to other states, but not vice versa.
How much of a problem Brexit poses for overseas data regulators depends on the structure of their privacy laws.
Some mirror the EU’s approach of assessing countries’ domestic privacy regimes and then white-listing those that are fit data destinations. Often, these mirror the EU’s approvals too.
Others take a neutral approach and subject a company to the same obligations whether they hold data in-country or export it. Here Brexit presents no new hurdles.
Canada, New Zealand
Falling into the latter, neutral category are Canada and New Zealand.
Canada’s privacy law — the Personal Information Protection and Electronic Documents Act — has no adequacy concept, and Canadian companies are accountable for the safekeeping of any data transmitted overseas.
“Transfers of data between Canada and the UK are expected to continue as per the status quo after March 29,” said a spokesman for the Office of the Privacy Commissioner of Canada.
New Zealand’s Privacy Act operates similarly, and Brexit won’t result in any new restrictions on transfers. “Our office currently has no guidance for companies on data transfers between NZ and UK after March 29,” said a spokesman for the Office of the Privacy Commissioner. “As far as we know there are no legislative measures in New Zealand for that contingency.”
Jurisdictions that have adequacy systems akin to the EU’s, meanwhile, have updated their whitelists to continue data flows to the UK.
Data exchanges between the EU and US are permitted under the Privacy Shield agreement, which allows the flow of data to US-based companies that have won certification.
The US Department of Commerce, which administers Privacy Shield in the US, has said the system will continue to cover data transfers from the UK. Companies must update their public commitments to specify UK coverage.
The UK has proposed additional secondary legislation — The Data Protection, Privacy and Electronic Communications (Amendments Etc.) (EU Exit) (No.2) Regulations 2 — to reflect this in domestic law.
The EU and Japan agreed in 2017 to mutually recognize each other’s data protection regimes, with the system taking effect in Jan. 23 this year, eliminating the need for Japanese firms to use standard contractual clauses.
Data transfers from Japan are governed by Article 24 of the Act on the Protection of Personal Information. This restricts transfers of data outside Japan to states that aren’t deemed as having an equivalent standard of privacy protection.
The Japanese Personal Information Protection Commission believes that since the UK is part of the EU’s GDPR regime at the point of exit, it can continue to be regarded as adequate post-Brexit.
As a result, companies won’t need to take any action regarding data transfers with the UK, Japanese officials told MLex, but the agency will need to make amendments to regulations to clarify the UK’s status outside the European Economic Area.
Argentina is making similar moves, and has amended its domestic data protection law to permit data exchanges with the UK after Brexit. An amendment authored by the Agencia de Acceso a la Información Pública, was published in Argentina’s official journal on Feb. 26.
Argentinian data protection law mirrors the EU regime, allowing transfers to states already covered by the EU’s program of equivalence agreements.
Switzerland’s adequacy listings, governed by Article 6 of the Swiss Federal Data Protection Act, also mirror the EU’s. However, as EU states are listed individually rather than as a bloc, the UK is already recognized in its own right.
There are no grounds for its removal, as the UK has pledged to uphold a “high level” of data protection after Brexit, the Swiss Federal Data Protection and Information Commissioner said in January.
The UK’s self-governing dependent territories of Jersey and Guernsey, which are covered by the EU’s equivalence regime, have taken similar measures.
In Jersey, an amendment was made under “omnibus” legislation passed in February to prepare for Brexit by altering the Data Protection (Jersey) Law 2018. It states that the UK is not to be treated as a “third country” for the purpose of the law.
Guernsey declared the UK a “designated jurisdiction” under the Data Protection (Bailiwick of Guernsey) Law on Feb. 1. In a report, the island’s Committee for Home Affairs noted the “crucial” need for continued unrestricted data flows for the island’s financial-services sector, with the UK being its biggest data-sharing partner.
There’s less clarity over Israel. Its Privacy Protection Regulations allow data transfers to countries that Israel deems as having equivalent legal protections, or where one of a series of criteria are fulfilled, including that the transfer is subject to an agreement to uphold Israeli law.
Alternatively, transfers can take place with parties to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Sensitive Data, a non-EU convention covering 54 states, including the UK.
The UK and Israel had hoped to clarify the situation, an Israeli official said. The two sides had hoped to strike a formal agreement at the same time as a trade agreement between the two states was unveiled last month. While this didn't happen, an announcement may be possible before Brexit day, the official said.
How useful to companies these efforts will prove if a no-deal Brexit does happen depends on the company concerned. Two significant risks remain.
First, the absence of an adequacy agreement on the part of the EU will raise a question mark for companies that use the UK as their European hub for data processing, even if the ability to transmit that data onwards to the likes of Tokyo or New York has been protected.
Second, some regulators are concerned that by granting an adequacy decision to the UK, they may in turn risk jeopardizing their own adequacy decision from the EU, should the bloc determine that the UK is an unsafe jurisdiction for onward data transfers.
Guernsey, for example, has built a sunset clause into its Brexit amendment, stating it will lapse in December 2020 if the EU doesn’t deem the UK to be adequate by then. The island’s own adequacy decision is up for review in 2020. Jersey has similar concerns, warning that difficulties with the UK would place other states under heightened scrutiny.
* Additional reporting by Sachiko Sakamaki, Ana Paula Candil and Vesela Gladicheva.