Business Info Risk have created a practical data protection briefing note for small business with 12 action points to cover data transfers from the EU in event of a 'no deal' Brexit.
EU personal data transfers by small and medium businesses: contingency measures against a no deal Brexit
Mike Barwise, Business Information Risk Management Consulting, Peter Barnes, Barnes Meridian Consulting
On December 19th 2018 the UK Office of the Information Commissioner (ICO) published its guidance GDPR compliance in event of a no deal Brexit. This is very welcome, but it does not go into much practical detail.
This paper aims to provide more background and to identify practical steps that small and medium businesses can take as contingency measures in ca se of a no-deal Brexit. We, the authors, are not lawyers, but from our many cumulative years experience in data protection and business management we believe that none of the actions suggested here are likely to be detrimental should a no deal Brexit be avoided. Indeed for the most part the effort to action them would not be wasted as they reflect best practice in covering all bases and it is better to be safe than sorry.
The potential no deal position
In the absence of a EU membership withdrawal agreement containing special provisions to the contrary, when the UK leaves the EU on March 29th 2019 it will become a so called third country and cease to be party to the general assumption of data protection law adequacy enjoyed by members of the European community.
The optimum resolution to this will be for the UK to apply for and obtain an adequacy decision, but its award is not automatically assured, and even if granted it could take quite some time to obtain (an application by Japan has taken over a year so far).
In the interim (or at worst if an adequacy decision application fails), the simplest mechanism for personal data transfers between the EU and UK will be the adoption by individual businesses of standard contractual clauses (SCCs). These have existed for some time but have not been amended since the GDPR came into force. As a result, despite UK Government assurances that they can still be used until they are amended, replaced or repealed by the European Commission, your European data partners might not necessarily be satisfied that the existing SCCs fully meet the requirements of the GDPR. The SCCs for EU controller to third country processor relationships are the most obvious case. A useful summary of their deficiencies compared to the GDPR has been produced by US law firm Bryan Cave Leighton Paisner.
Merely including these SCCs in your EU to UK data transfer contracts may therefore be insufficient in practice to ensure compliance. It is essential to recognise that in respect of personal data transfers from the EU to the UK it will be the data protection regulatory authorities of the EU countries with which you do business (and ultimately the European Commission) that both interpret the legislation and evaluate your level of compliance with it, and their decisions may override those of the ICO. Furthermore, in the absence of an adequacy decision, your processing is likely to be scrutinised by the EU parties to your data transfers more rigorously than while the UK is in the EU, even if you have adopted the SCCs into your data transfer contracts. The standard to which you can demonstrate that you actually fulfil both the requirements of the SCCs and the obligations imposed by the GDPR will therefore be a paramount consideration, as even minor compliance failures could prompt challenges by your EU partners or EU data subjects.
Data transfer scenarios to be considered by UK Businesses
EU controller to UK processor transfers
European Commission document 2010/87/EU explains and contains the standard contractual clauses covering the EU controller to third country processor relationship. From the position of the importing (UK) data processor, these generally coincide with the requirements of the GDPR, except that the GDPR is more stringent in respect of the description of processing, assurance of confidentiality, cooperation with the controller in responding to data subjects, data breach notification, assisting the controller with data protection impact assessments, the controllers right to audit the processors compliance, and, most importantly, restrictions on onward transfers outside the EU. In these areas, the GDPR requirements should take precedence, so merely relying as a processor on the SCCs may not ensure compliance with the GDPR in practice.
EU controller to UK controller transfers (option 1)
European Commission document 2001/497/EC explains and contains the earliest, and at first sight simplest, set of SCCs for controller to controller transfers. But by virtue of that very simplicity of expression it is not easy for the most part to identify specific required action points from the clauses. Consequently, it may be quite difficult for a UK controller (data importer) to be confident of demonstrating compliance. However, one of the explicit obligations is joint and several liability of both controllers, which could prove quite an onerous burden.
EU controller to UK controller transfers (option 2)
European Commission document 2004/915/EC explains and contains the second and latest set of SCCs for EU controller to importing (UK) controller transfers. These SCCs both are far more explicit and more obviously align with the GDPR than the 2001 set, but contain some additional requirements, notably an obligation on the data importer (the UK party to the transfer) to provide the exporter (the EU party) on demand with evidence of sufficient financial resources to cover liability to the exporter and affected data subjects (and possibly others) in case the importer breaches the SCCs. This liability is wider than merely for personal data breaches as defined by the GDPR. If insurance is relied on to fulfil this obligation, businesses should consider the entire range of events that might result in liability to either the exporter or data subjects, and make sure they can demonstrate adequate cover. Cyber breach policies may possibly not be sufficient, as the relevant clause in the SCCs provides for liability in respect of any breach of these clauses and any breach of third party rights under these clauses.
Comparing options 1 and 2, we suggest that, due to both their lack of specificity and their imposition of joint and several liability, the 2001/497/EC SCCs might not be the best choice if you have the option to choose between them and the second and later set.
Onward transfers from the UK of personal data sourced from the EU
Where a UK business has obtained personal data from an EU exporter and intends to transfer it onward to another third country, the UK forwarding party will be obliged to ensure that its obligations under the GDPR and the adopted SCCs are also imposed on the recipient of the onward transfer. This might be problematic in practice where standardised sub-processing services are provided on the basis of unilaterally imposed non-negotiable contracts drawn up by third country service providers (e.g. transnational cloud providers) that are the recipients of the onward transfer. A special case of this worthy of note is the possibility that the UK as a third country may not be able to rely on declarations by US service providers of compliance with Privacy Shield, as once outside the EU the UK will itself no longer be a party to Privacy Shield.
UK controllers receiving personal data directly from subjects in the EU
Where a third country (e.g. UK) data controller directly collects and processes the personal data of subjects in the EU, the SCCs will not be applicable. Instead, the relevant requirements of Article 49 of the GDPR must be met. In practical terms, this means that either the data subjects specific, explicit, informed consent must be obtained for every transfer, or the data must be exclusively processed for the purposes of entering into or performing a contract to which the data subject is a party. This is not hugely different from existing requirements in respect of UK data subjects except that the choice of lawful basis is more limited. Specifically, the currently widely relied on legitimate interest lawful basis will not be available for such processing.
Non EU/EEA GDPR business representation
UK businesses processing the personal data of subjects in the EU for the purpose of offering goods or services or in order to monitor their behaviour within the EU will be required to appoint a representative in the EU, which data subjects can approach to query the principals processing or exercise their rights.
Transfers of UK subjects personal data to the EU and to other third countries
UK business processing of the personal data of subjects in the UK is currently subject to the Data Protection Act 2018, which for the most part echoes the GDPR. The ICO somewhat confusingly stated in the December 19th guidance that When the UK exits the EU, the EU GDPR will no longer be law in the UK. The UK government intends to write the GDPR into UK law, with the necessary changes to tailor its provisions for the UK (the UK GDPR) although it would appear at first sight that this has already been accomplished in the DPA 2018. However regardless of the specifics, transfers by UK businesses to the EU and elsewhere of the personal data of subjects in the UK will continue to be subject to the UK Data Protection Act 2018 or any UK legislation that replaces it.
A twelve point action plan for small and medium businesses
These twelve action points should be considered now by UK businesses transferring personal data from the EU to the UK. In the event of a no deal Brexit and while the UK has not been granted an adequacy decision, they will be fundamental to demonstrating compliance to your EU data partners and data subjects in the EU, regardless of any UK data protection legislation.
- Map all the personal data sharing you undertake and identify all cross border transfers to and from your business to ensure that no transfers pass under the radar.
- Review your reliance on the legitimate interest lawful basis, and determine whether consent or contractual necessity should be relied on instead for processing the personal data of subjects in the EU.
- Ensure measures are in place to record consent or evidence of contract as the lawful basis for every transaction that includes collection of personal data directly from subjects in the EU.
- Ensure that your privacy notices accurately, fully and clearly express all your relevant processing in internationally accessible terms (e.g. in the languages of the EU countries where you do business), as any deficiencies here could be a prime source of complaints.
- Enter into negotiations with all your EU business partners from which you obtain personal data for inclusion of the relevant SCCs into your existing data processing contracts.
- As soon as possible engage with potential EU data sources for foreseeable future data transfer requirements as post-Brexit negotiations may prove harder.
- If you are acting as a data processor for an EU data controller, ensure that your revised contracts fully meet the requirements of the GDPR where these exceed those of the 2010/87/EU SCCs.
- Review all contracts relating to your onward personal data transfers to other third countries to ensure they will meet the standards of the GDPR, particularly with reference to US parties relying on Privacy Shield.
- Where contracts with third country processors or recipients of onward transfers are non-negotiable and may not be, or remain, compliant, consider finding alternative providers.
- Establish whether you are offering goods or services to data subjects in the EU as defined by the GDPR, and if so investigate and negotiate representation in the EU.
- Where you are in a controller/controller relationship with an EU partner, review your insurance cover or other measures to ensure you can fulfil the financial cover obligation in respect of the full range of potential liability (particularly with reference to 2004/915/EC clause II(f)).
- In order to support the audit requirement of the SCCs, prepare full documentation of your processing in accordance with Article 30 of the GDPR even if you currently consider your business exempt.
Download the document here.
Business Information Risk Management Consulting and the logo are service marks of Sapientior Limited Registered in England and Wales, No. 6214497, registered office: 6 Maple Green, Hemel Hempstead, HP1 3PY