EU / UK / U.S. Data Transfers after Brexit.

[Disclaimer 1: This is not a primer on Brexit — google it.]

[Disclaimer 2: I’m not a lawyer, consult your own!]

GDPR and Brexit

The GDPR came into force on May 25th, 2018, and is applicable in the UK. It is implemented through the UK Data Protection Act 2018 (short: “DPA”) and will remain applicable after Brexit — until it is changed or amended.

What does Brexit Mean For Data Transfers?

GDPR and DPA deem any flow of data as “transfer”: Any information presented to a browser or an app is a “transfer”, even though the data only exists in your browser or app cache for a limited time.

Option 1: Country Gets “Adequacy” Approval

The GDPR prohibits data transfer outside the EU unless the country where the data is consumed is providing an adequate level of protection. The U.S., for example, does not meet this requirement. The UK does have the DPA, but it has not gone yet through the “adequacy process” to gain approval by the EU commission — a lengthy process that includes all sorts of hurdles.

Option 2: EU-U.S. Privacy Shield Framework

The U.S. Department of Commerce, together with the EU Commission, has come up with a framework based on EU data protection law to allow data exchange under certain conditions:

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

The framework requires some technical capabilities as well as disclosures and public commitment as well as maintaining your certification every year (!). Otherwise the FTC could come after you.

Option 3: Standard Contractual Clauses (“SCCs”)

SCCs are template agreements by the EU Commission between an entity in the EU exporting data and an entity outside the EU importing data. If the two parties conclude the agreement, the entity outside the EU is allowed to receive the data. But it requires some special handling and limits caching. There are three different type of SCCs (as of 04/23/2019)

Option 4: Binding Corporate Rules

A corporate code of conduct that is made binding on a corporate level for a group of companies. It’s the most sophisticated, most difficult to implement option, and needs approval by a European body. These certification mechanisms are also very new, a lot of work-in-progress.

Exception: Data is Limited to Complete a Transaction

For example, if you need to book a hotel that requires a name and the data is purely limited to complete that booking (again a gray area: is your movie preference required to complete the booking if the hotel has a movie theme?)

Data Transfer

From US to UK

You have to comply with U.S. law. In addition, if you are EU privacy certified (for example Privacy Shield or SCCs), and you also import data from the UK, then you need to comply with the data transfer principles of the respective Privacy Shield or SCC framework agreements: If you get data from Germany, process the data in the US, and send it to the UK, you need to comply with these data transfer principles. Make sure that you document any data transfer really well, and that you remember that the UK is no longer part of the EU 🙂

From UK to US

The rules remain the same after Brexit for now. You must maintain a Privacy Shield or SCC certification and disclose that data is not only exported to the US from the EU but also to the UK from the EU. That requires disclosures in the privacy disclosures of public websites as well as privacy notices for HR data (do you issue stock options of your Delaware inc. to UK employees? Are you using the UK employee names?). SCCs might change in the future, but that will come with some warning and grace period.  For now, if you are operating under SCCs, you’re still good to go.

Also, make sure you can cooperate with any inquiries and investigations of the enforcer of the Privacy Shield / SCC. For example, the UK Information Commissioner (“UK ICO”).

From UK to EU

The UK government so far has confirmed that transfer from the UK to the EU will not be restricted, and that the EU will be treated as adequate to product privacy rights of the DPA. phew 😉 You still have to comply with the DPA, of course.

From EU to UK

In case of a ‘hard’ Brexit without a transition period, the UK will no longer be part of the EU and thus have to go through one of the four options above! And don’t wait for UK gaining “adequacy” in the near term.

Some Oddities and Problems

Example: EU Clothing Brand with UK Subsidiary

A consumer in Germany is sharing data with an Italian clothing brand (no problem here). The customer is called an “EU Controller”. The Italian clothing brand is called a “EU Processor”. Unfortunately, the Italian clothing brand has subcontracted some data crunching to its UK branch or subsidiary:  The UK branch has the better data scientists and run the marketing re-targeting program. The UK branch is called a “UK Sub-Processor”. BUT: There is no SCC template between processors! The only option is to have every EU Controller enter into an agreement with the UK Sub-Processor directly. That means every customer suddenly has to get a letter and agree to this new relationship — good luck with that!

Example: UK Customer Using a EU Data Platform

An UK enterprise user is subscribing to a data platform in Germany. The enterprise is storing information on the platform (no problem here). The UK enterprise is called the “UK Controller”. The Germany data platform is the “EU Processor”.  The UK government recognizes the GDPR compliance of Germany, so the UK enterprise is free to send the data over.

A week later, a user from the the UK enterprise is looking into the data platform’s data via the web interface. Uh-oh. This means a data transfer from EU Processor to UK Controller. paradoxically, there is no SCC template for Processor-to-Controller — you’re violating the law, even though the customer is accessing her own data!  The UK Controller has to enter into a written contract with the EU Processor that it’s OK to transfer the data back to the UK.

Review your Privacy Notices!

That includes external privacy policies that are customer facing, including recruiting, as well as internal privacy statements such as HR.  You need to look at all references to the EU, the European Economic Area, and the UK. All sections regarding data transfer mechanisms have to be updated. And you have to update your Privacy Shield public commitment (if you’re Privacy Shield certified).

That doesn’t seem like a big deal. But does your privacy policies maybe require to notify users of material changes? Is there a certain time frame necessary? Do these notices need to be in local languages?

Do You Need a “Local Representative”?

Article 27 of GDPR defines the EU Data Protection Representative obligation.

An EU representative is required by any company which sells to, or monitors, individuals in the EU, but has no establishment (office, factory etc) in the Union. So if you have your headquarters in the UK and selling to Germany or France, after Brexit you might need a EU representative. clarifies:

EU representative on EU Representative obligations under Article 27 of GDPR (as of 04/16/2019)

You might end up having legal representative obligations in both the EU and UK!

Thoughts? Opinions? Comments? Corrections?