The known unknowns of post-Brexit data transfers

With many aspects of the trade deal still to be ratified, organisations that transfer data to and from the EU need to start preparing now

Businesses are relieved that a trade deal was finally ratified last month after the interminable Brexit negotiations and the threat of no deal, although for many the relief is tinged with uncertainty, because there multiple areas are still to be agreed upon, including services, financial transactions and data transfers.

During a web seminar on Thursday hosted by privacy consultancy Securys, principal Ben Rapp and practice lead Andrew Sharp outlined some of the known unknowns around data transfers between the UK and the EU/EEA.

The post-Brexit trade deal arrived five months after the European Court of Justice's (ECJ) Schrems II verdict in July, which struck down the Privacy Shield arrangement and forced the EU to revisit Standard Contractual Clauses, the most popular way for EU based organisations to transfer data to countries judged to have inadequate protections for individual's data from state surveillance, such as the US and India.

The first unknown is the final form the new SCCs will take, as consultancy is ongoing. However, the shape of the new contracts is clear, said Sharp.

The new EU SCCs will place a much heavier burden on data controllers to perform due diligence and risk assessments across the whole supply chain, with all actors in the chain required to sign the data protection agreements - which include notifying data controllers of any requests for access to personal data by third-country governments and resisting such demands to the extent legally possible.

So, the new rules will be much more exacting than the existing measures, but at the same time the SCCs will be more modular in structure to make it easier to add new suppliers to a contract. Once finalised, there will be a 12-month crossover period during which existing SCCs will still be valid.

To confuse matters further, the UK has said it will be producing its own SCCs, but this cannot happen until the EU has considered whether the UK has adequate data protections in place, a process that could last until June. During this interim period, the UK will continue to be treated as an EU member state, with minimal restrictions on data transfers to and from the EU. If after this period the UK is judged to have adequate protections for personal data then little will change.

However, if the UK's protections for individuals against state surveillance are not considered to be adequate - a reasonably likely scenario given laws such as the Investigatory Powers Act (in October the ECJ declared UK mass surveillance to be illegal) and the presumable desire by government to loosen data protection laws in order to forge deals elsewhere - the UK will become a 'third country' and data transfers to and from the EU will require SCCs or other mechanisms such as binding corporate rules (BCRs).

In fact, noted Rapp, the ICO recommends that businesses that transfer personal data to the EU should "put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data," a sign perhaps that we may be headed for third country status.

Another unknown is the extent to which data transfer rules will be tied up with those governing financial services, which were not covered by the post-Brexit trade deal. The EU and UK aim to achieve a memorandum of understanding by March.

And with the UK now out of the EU, businesses transferring data to and from Europe who were using the ICO as a lead regulator will need to pick a new one.

While much remains uncertain, Sharp advised affected organisations to start auditing their data transfers now, saying that honing the existing data management best practices of data minimisation, encryption and pseudonimisation should go a long way to complying with the emerging legislation.