Brexit threat to data flows has real world implications

Many businesses are unprepared for this and the contractual solutions they can put in place to safeguard data flows are imperfect, can take time to implement and subject to legal challenge.

Significant financial penalties could be levied on businesses that fail to address the risk of non-compliance, and there is a lack of clarity over how data protection regulators across the EEA will approach enforcement of rules on data transfers under the General Data Protection Regulation (GDPR) in the aftermath of a 'no deal' scenario.

Businesses reliant on the free flow of data across borders should take urgent steps to ensure the continuity of their services after 31 October should the UK leave the EU on that date without a withdrawal agreement.

Brexit and the legal position on data transfers

EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). Those restrictions are designed to ensure that there is adequate protection for data when transferred to so-called 'third' countries. In this respect, there are a limited number of legal mechanisms that businesses can turn to to provide adequate protection for data when transferring it outside of the EEA.

Currently the rules on data transfers do not apply to the cross border flow of personal data between the UK and any other EEA country. This is because the UK, through its EU membership, is a member of the EEA. Data transfers from the UK to other EEA countries, or vice-versa, is automatically considered to be compliant with data protection laws because the underlying standards for data protection across the UK and rest of the EEA are considered to be equivalent.

In a 'no deal' Brexit scenario, however, the UK would immediately exit the EEA and become a 'third' country for the purposes of data transfers. This presents a compliance risk for UK-based businesses in particular as they would need to have a legal mechanism in place for demonstrating adequate data protection.

In the long term there is hope that the UK would benefit from a so-called 'adequacy decision' from the European Commission. This would see the UK designated as a safe place for transferring personal data to, and provide for the free flow of data that is currently enjoyed. However, the Commission has been clear that it will not consider an adequacy decision for the UK until the UK has formally exited the EU. It took approximately two years for Japan to obtain an adequacy decision from the Commission, indicating the timeframe that could apply before the UK would benefit from a similar designation.

What is clear is that there would be a period of several months in the immediate aftermath of a 'no deal' Brexit where businesses would need to take action to comply with the rules on data transfers. This potential 'cliff edge' was recognised by a UK parliamentary committee in 2017.

The practical impact

The topic of data transfers is often viewed in the abstract, but any disruption to data flows would have a major impact in the real world.

For example, major online retailers, financial institutions, service providers and all manner of business from all different sectors often use cloud providers to host and store personal data on servers overseas be it cloud-based email services, hosting of websites or software based systems which deliver solutions remotely.

Together with the location of hosted services, further considerations come in the form of services attached to such services, for example IT providers which offer support and maintenance services from overseas countries, or payment processors outside the UK. It is not just digital services which are impacted. Business that trade overseas or use overseas services providers, be that actuarial services, payroll providers, analytics, recruitment, investments, pensions or insurance providers by way of example would also be impacted where those services require the sharing of personal data relating to customers, employees or other people across borders.

The flow of data is ubiquitous for many businesses due to the international provision of services and the international operation of businesses across markets.

There are therefore huge questions around how to maintain the free flow of personal data in the event of a 'no deal' Brexit. In particular, while the UK has already said it will continue to allow the free flow of data to the EEA and other countries which have been previously determined by the EU to have essentially equivalent levels of personal data protection, the EEA has, absent the proposed Brexit Withdrawal Agreement, not agreed the equivalent for transfers to the UK. The question exists therefore how to allow for the free flow of data in such circumstances.

In the worst case scenario, some businesses will be unable to complete transactions or email colleagues and clients without breaching data protection law. Others may determine to take the risk and some, hopefully most, will look to implement alternative safeguards.

The legal position and options for businesses

Whilst the ability to transfer personal data outside the EEA is generally prohibited, the legislation provides a number of mechanisms to facilitate the transfer.

One way is to implement Binding Corporate Rules - these are used for inter-group transfers with approval by the regulators, but they often take months if not years to complete. Another mechanism concerns transfers to the US affected where the receiving party is registered under EU-US Privacy Shield. For post-Brexit transfers, this will require US recipients of data to have updated their Privacy Shield commitment to comply with the Privacy Shield principles in relation to transfers of personal data from the UK. There are also a number of small derogations to the general rules on data transfers which are for use in specific limited circumstances, but perhaps the main data transfer mechanism relied upon is where the parties enter into an agreement incorporating the standard data protection clauses adopted by the EU Commission (model clauses).

Practically, for many businesses that have just gone through a significant process of updating their contracts to deal with the GDPR and incorporating the mandatory provisions in relation to the appointment of data processors, or ensuring that agreements for sharing reflect appropriate terms, the thought of a second wave of contract amendments to account for a 'no deal' Brexit and the absence of a UK adequacy decision will feel painful..

Updating the contractual agreements can be a time consuming and expensive activity as it involves preparing and agreeing the contractual clauses, ensuring it details the data flows and purposes, and setting out in some detail the security requirements which govern such processing. Model clauses have been developed by the European Commission to help in this regard, but those standard contract clauses are designed for controller-to-controller or controller-to-processor data transfers arrangements. There are no such standard clauses allowing for an EEA processor-to- export to a UK controller, or indeed one based in any other non-EEA country, or for an EEA processor-to export to a non-EEA-processor, including one based in a 'no deal' Brexit UK.

Currently, some data processors have agreed to sign up to the model clauses for controller-to-processor transfers even though the provisions apply the wrong way round, just so there is a written contract in place in compliance with the GDPR.

However, the absence of standard clauses for processor-to-controller arrangements means that the threat to data flows in a 'no deal' Brexit scenario is particularly acute in cases where UK-based data controllers use data processors based in the EEA.

Even in cases where businesses wish to rely on the model clauses that have been developed, it can take time for the parties to reach agreement on their use. Consideration has to be given not just to the standard contract terms but how those terms fit in with the main agreement between the parties. In particular, the model clauses as drafted have no liability cap, and often they are entered into between a controller and a third party overseas processor who may not necessarily be the same contracting party to the main agreement, so extra consideration is needed about the commercial relationship and respective liability of the parties. 

With a 'no deal' Brexit potentially just over two months away, it is therefore a major task for businesses to action amendments to data processing and sharing agreements now to allow all transfers between the UK and EEA countries to take place from 1 November.

The reality is, though, that the question of data flows and the associated contractual changes are seen as lower priorities by many businesses planning for Brexit. They are likely more worried about issues such as ensuring continuous supply of products and raw materials, potential logistical issues around Brexit and even how to stave off any hostile takeovers that might be spurred by any reduction in the value of the pound. The challenge is also in engaging potentially inert decision makers on the topic of data transfers post-Brexit when the broader issue of GDPR compliance has been on the radar for so long now.

Court challenge and enforcement

Complicating the issue further is the fact that the model contract clauses for data transfers endorsed by the Commission are the subject of a legal challenge before the EU's highest court.

Austrian privacy campaigner Max Schrems has argued that the model clauses fail to guarantee adequate protection of personal data when it is transferred from the EU to the US. The Court of Justice of the EU (CJEU) is expected to rule on the issue in the coming months. The judgment could impact on the validity of using model clauses for the transfer of personal data outside the EEA to 'third' countries, including the UK in a 'no deal' Brexit scenario.

At the same time, there is also uncertainty over how rules on data transfers would be enforced in the event of a 'no deal' Brexit.

Currently, in line with the GDPR's consistency mechanism and 'one stop shop' protocol, the UK's Information Commissioner's Office (ICO) works alongside national data protection regulators from other EU member states on matters of compliance with a cross-border element.

In the event of a 'no deal' Brexit, however, the UK stands to lose its seat on the European Data Protection Board. This is significant as it means that the UK would not be part of the decision making process in determining how data flows work in a 'no deal' scenario, nor participate formally in discussions relating to enforcement of the rules on data transfers by regulators in the EU.

This raises the very real prospect for businesses that they might be fined twice, and both up to the maximum penalty limits, for a breach of the legislation by both the ICO and an EU-based regulator where the same breach impacts data subjects in UK and any other EEA country – something that is avoided under the GDPR's one stop shop regime currently.

Of consolation to businesses will be that the ICO has a demonstrable record of being pragmatic when it comes to enforcement and in factoring in business uncertainty. However, the size of penalties that can be imposed for non-compliance under the GDPR will remain a concern for businesses, particularly in sectors such as retail where profitability is already threatened by the challenging economic environment they operate in.

Businesses should urgently consider reviewing their contractual arrangements for data transfers and be prepared to make amendments to secure the continuous flow of data post-Brexit and minimise disruption to the services they provide.

Claire Edwards is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.