What does the UK hope to have in common from 29th March 2019 with the following countries: Andorra, Argentina, Canada, Faeroe islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay? It is an odd-looking list, for sure. But these are the only countries which have to date been granted a ruling of adequacy by the European Commission (EC) for their data protection regimes.
Adequacy is an essential level of data protection that a country needs to have in place if it wants to transfer data from the European Economic Area (EEA) or European Union (EU). Once the EC has reviewed the legal framework of a country - including what rules it has in place for onward transfers to other countries - it can decide the protection of European citizens’ rights is adequate and so grant a positive ruling.
Currently, all 28 member states of the EU (including the UK) benefit from operating to a common set of standards, enshrined in UK law within the Data Protection Act 2018. But with the vote to leave the EU and the government triggering Article 50 of the Treaty of Lisbon, the UK is set to duck out from under the umbrella of EU law.
And this is where the trouble begins. For two reasons: firstly, the UK will have to apply to the EC for an adequacy ruling, which could take time and may face several obstacles; secondly, any adequacy ruling will not happen straightaway, leaving a regulatory gap that could freeze all EEA/EU-UK data transfers.
Just as the fishing industry fears catches it wants to land after midnight on Brexit day will be turned away and the logistics industry worries about queues of lorries at Dover in the absence of an agreed deal, so, too, the data industry could find itself unable to support any business process that requires data moving in or out of Europe. Think airline bookings (or any travel), credit card payments (or any financial transactions) or online transactions where the parent company is based within the EU (like Amazon, Apple, etc). All will be exposed to the regulatory threat from a UK operating without an adequacy ruling - and with GDPR giving European data protection authorities the potential to levey fines of up to 4% of global turnover, this is a very significant risk.
What does adequacy mean?
What Commissioners look for is a similar standard of protection for European citizens when their data is transferred to another country. That means everything from the way consent operates to the ability to demand a copy of all personal information (along with deletion or transfer to another company). Having granted itself extra-territorial reach with GDPR, the EC clearly intends to enforce these rights globally.
Countries that have introduced laws which replicate or match the new Regulation are likely to be considered adequate. The UK’s Data Protection Bill, currently making its way through the parliamentary process after a third reading in the House of Lords in October 2017, replicates GDPR in most respects. But as that list of countries currently considered adequate reveals, there are few digitally-advanced economies that have so far managed to hit the spot.
Why could the UK fail an adequacy test?
The problem for the data industry post-Brexit is not with the core of the Data Protection Bill. After all, GDPR contains within it the existing eight principles of the existing DPA, but massively expanded and strengthened for the digital economy.
But the new Bill is not yet law, so could be amended in ways the EC might not approve of. In particular, arrangements for onward data transfers - especially to the US - could undermine our ability to prove adequacy.
It is very clear from current Government statements that it sees a US-UK trade deal as the potential big win from Brexit. But the US does not yet have federal data protection laws and its national security demands run directly against the intentions of GDPR.
This is what did for the Sare Harbour arrangement for US-UK data transfers when the European Court of Justice ruled on the Max Schrems case in October 2015. Since federal and national security agencies in the US can demand the release of personal information from data controllers, European citizens may have their data accessed under such warrants without the grant of rights they can expect within the EU. Privacy Shield recognises this and put in place (untested) protections to keep data flowing across the Atlantic.
What other data problems could Brexit cause?
The biggest risk is probably less from failing to get an adequcy ruling - the Government will probably do what it takes to resolve any legal issues - but rather during the time between Brexit and getting that ruling. As it stands, on 29th March 2019, all equivalency falls away. The EC will not simply rubber-stamp the UK as acceptable the very next day.
In fact, given the way Brexit negotiations are going, there are reasons to believe Commissioners will demand more, especially to hedge against any dilution of data protection law in order to win that US-UK trade agreement. (Just look back at what the Translatlantic Trade and Investment Partnership was aiming at in order to understand America’s desire to strip away what it sees as European legal barriers to its exports.)
So there will be gap during which no formal process is in place, barring for companies that have put in place Binding Corporate Rules (which are lengthy and expensive to agree). Little wonder, then, that techUK and UK finance, which represent key aspects of the UK economy, have called for a “standstill” transition period while adequacy gets agreed.
The difficulty is that, so far, the EU has shown no willingness to give the UK anything it has asked for during the Brexit negotiations while demanding the UK continue to respect everything the EU already has. In addition, all Government activity that is not Brexit is in effect frozen - it is hard to see any additional data protection legislation being launched, or even a side negotiation on adequacy getting started.
So, should we be worried?
In a word, yes. Until the Data Protection Bill is passed, the Commission can not examine it for adequacy. Even then, it is likely to wnat a commitment that future trade agreements, including with the US, would not attempt to dilute the protections granted to European citizens under GDPR. The current Government is very unlikely to want to tie its hands in this way ahead of starting those trade negotiations.
Unless the EC decided to offer a standstill period, the UK will fall out of the current data protection umbrella that allows intra-EU data transfers to take place on 29th March 2019. At that point, moving data into the UK from any Union country will be effectively illegal, unless done under the terms of BCPs.
Lobbying is taking place to try to plug this gap. As to how effective it might be, you will need to make your own judgement based on how well you think David Davis is doing. Which may well send you running to hire a corprate law firm who can draw up a set of corporate rules for you…