EU companies' data transfers to UK at risk under no-deal Brexit

EU-based companies that send personal data to partners in the UK and haven't prepared for a no-deal Brexit scenario on March 29 risk attracting enforcement action from their local privacy regulators.

Enforcers may have rejected calls for a grace period to help businesses add extra protection to transfers in line with EU privacy rules, but they won’t be the ones to initiate probes into infringers: The threat will come from privacy activists complaining about legal gaps.

An added complication is that the widely recommended boilerplate legal contracts for data transfers, approved by the European Commission, could be declared illegal by EU judges later this year.

In a world of Big Data analytics, the economic worth of global information flows has rocketed in recent years, and businesses value the ability to move data easily across borders. Around 11 percent of the world's data passes through the UK, and three-quarters of that is to and from other EU countries, according to trade association TechUK.

This includes all sorts of personal data, such as employee details, magazine subscriptions, and football players’ medical records. A no-deal Brexit could disrupt such EU-UK data flows in the absence of companies’ preferred choice of an "adequacy" deal from Brussels for data transfers.   

Companies in any industry based in the European Economic Area — the EU states plus Iceland, Norway and Liechtenstein — would need to use alternative, burdensome data-transfer mechanisms under the bloc's General Data Protection Regulation.

These include boilerplate model contracts, binding corporate rules for inter-group data transfers, codes of conduct, and certification mechanisms.

Businesses in the EEA will face a greater regulatory risk than their UK partners if they haven't taken the necessary steps by March 29. That's because the UK government has promised to treat the EEA as "adequate" in data-protection terms and allow flows towards member countries to continue uninterrupted.

For EEA-based companies, meanwhile, non-compliance and ensuing regulatory action could lead to fines or bans on data transfers to the UK. 

Last year, Siemens warned against disruption to data flows between Germany and the UK. For certain products, one company official said, that could mean drafting "a couple of hundred contracts".

The threat of a no-deal Brexit recently prompted some trade associations representing tech businesses, financial institutions and consumer goods companies to ask the European Commission and the EU's umbrella group of national privacy regulators — the European Data Protection Board, or EDPB — to give companies more time to prepare for the eventuality of "unlawful transfers" triggered by "untimely political decisions," as the Centre for Information Policy Leadership, a think tank, put it in a confidential letter to the EDPB last month.

No grace, but no chase

But regulators are unyielding.

For several months now, national watchdogs have been publishing Brexit-related advice, prompting companies to look at what kind of data they transfer to the UK, determine if they really need to transfer it, and then find the right legal basis under the GDPR to do so. That was followed by official guidance from the EDPB last month.

“There is no room for a leniency period,” Peter Knudsen, who leads the Danish Data Protection Agency's international division, told MLex. “Those who export data after Brexit day will have to conform to regulations.”

At the same time, privacy enforcers are unlikely to start actively going after companies in breach of the GDPR because of the no-deal Brexit outcome.

They are promising to be reasonable and assess each case on its merit. The Dutch authority, for example, told MLex it is "a reasonable supervisor and will balance their actions and choice of priorities with the specific circumstances, consequences, risks and seriousness of the (partial) non-compliance,”

Knudsen said that in Denmark's case, "we haven’t planned to go out on April 1 to check if everyone has the transfer plan in place.”

Similarly, the data regulator for the German state of Hamburg told MLex that it "does not plan comprehensive investigations," adding it will keep in mind the fact companies face an "unclear political situation."

Companies are in a situation comparable to when the EU's highest court invalidated Safe Harbor, the EU-US data transfer accord, in 2015. Regulators then said they would need to investigate cases based on complaints.

Complaints

And that's where the real risk for companies lies once again, in the context of Brexit.

"We will need to investigate individual cases that are brought to our attention," the official from the Hamburg regulator said. "We could then take actions against entities located in Hamburg because of their transfers out of the European Economic Area. Their British counterparts which collect the data might also be subject to our supervision according to Art. 3 (2) GDPR if they misuse the data, but normally we would concentrate on the German sender."

The risk will come mainly from activists, consumer organizations and major data breaches. Coordinated complaints from consumer organizations across the EU aren't on the agenda just yet.

But the longer that companies take to comply with the GDPR, the higher the risk from privacy activists and organizations — just think of the complaints launched hours after the GDPR came into force by Max Schrems and his activist group Noyb — particularly in cases where a large number of individuals are affected.

Uncertain future

Regulators and lawyers have been advising companies to adopt EU-approved model contracts, which are standard sets of contractual terms and conditions which the sender and the receiver of the personal data both negotiate and sign up to.

Renegotiating contracts can be a long, complex and bureaucratic process, and if companies haven't yet started, they will be in breach of the GDPR if the UK leaves the EU on March 29 without a deal. An easier way out in some cases might be for EU companies simply to end contracts.

A doomsday scenario would be if the EU Court of Justice decides to invalidate model contracts for failures to sufficiently protect personal data from interference for national-security purposes. A case originally brought by Schrems in Ireland against Facebook is expected to be heard later this year in the Luxembourg court. The lawsuit stemmed from the invalidation of Safe Harbor, which was also based on a complaint by Schrems against Facebook.

If model clauses are voided, and the UK has not yet obtained an adequacy agreement from Brussels, most companies will have no legal means to transfer data from the EU to the UK.