Nina O’Sullivan
Good afternoon, welcome to this Mishcon Academy Digital Session. My name is Nina O’Sullivan, I am a Legal Director here. I am just going to be saying a few introductions as people are joining. This is a Mishcon Academy Digital Session. It is a series of online events, videos and podcasts which are touching on key issues affecting businesses and individuals and the session today is focussing on Brexit and the implications for data protection and I am very pleased to be joined by three panellists from our Data Protection Group; first of all Adam Rose who is a Partner and Head of the Data Protection Group, Mark Deem who is also a Partner in the group specialising in data and tech disputes and also John Baines who is a Senior Data Protection Specialist. Now in terms of how the session is going to work today, each of the panellists are going to be speaking on a particular topic and we do have a slide deck which I am going to share on the screen in a moment but we are hoping that the conversation will be a bit interactive between the panellists so whilst I will be controlling the slides, I will perhaps need to just make sure that I am keeping up with the panellists in case they go off on any particular tangents. So I am just going to share my screen now. If you do have any questions during the session, please do put those into the Q&A box and we will do our best to deal with those if time permits during the session.
So first of all in order to do a bit of seating, as I am sure you will all know, the UK left the EU on the 31 January this year and we are currently in a transition period and that ends at 11.00pm on the 31 December 2020, so in a couple of weeks’ time. From that point the UK will be treated as a third country for the purposes of the EU General Data Protection Regulation, the GDPR and that means that the UK wants and it needs an adequacy assessment from the EU as to its planned data protection regime and without that adequacy decision it is going to mean that there are serious implications in relation to international data transfers from the EEA to the UK and also for onward transfers from the UK to the US and John in particular is going to be focussing on that issue shortly. But the implications of Brexit for data protection are not just about international data transfers although that is clearly a very significant issue. We are going to have a separate regime in the UK called UK GDPR and Adam and John will explain the implications of that in a moment. That is going to lead to enhanced regulatory compliance and burdens on businesses that deal both with consumers in the UK and individuals in the UK and in the EU as well and there will be a number of practical implications for those businesses to be thinking about and that’s also what we are going to be focussing on today. So the first topic is simply this; what is going to happen to GDPR at the end of the transition period and what are the UK’s plans in relation to this and how should businesses work out which regime will apply to their processing and Adam I think you are going to deal with this.
Adam Rose
I am indeed Nina, thank you and just in passing just to pick up on something you said Nina, which was we are looking in a couple of weeks’ time which you meant figuratively rather than literally I think we have actually got all of six weeks to go and that’s what I read in the paper this morning suggests that there might be a further extension of some kind, an adjustment period I think it was called in the press, as to the drop dead date of 11.00pm on New Years’ Eve. So what I am looking at is what the law will be at the end of the implementation period or transition period from the 1 January and there are two things to bear in mind. One is, EU GDPR as in GDPR as we know and love it, will no longer be directly applicable in the UK. It is directly applicable in the UK at the moment as an EU regulation, the UK is a member state of the European Union and the withdrawal agreement will be provided for an eleven month period of implementation or transition under which EU law would remain UK law and the GDPR law or what we have called on this slide, EU GDPR will no longer continue to apply in the UK in its own right because the UK will have totally left the EU but it does get preserved in UK law under what we are calling UK GDPR and what UK GDPR is effectively is GDPR as we know and love it with all the references to European stuff crossed out and UK stuff put in. So there is a helpful document that’s produced, that the Government or Parliament produces called a Keeling Schedule, effectively a mark-up of EU GDPR and when you look at what they’ve crossed out, they’ve crossed out at Article 32 which I will come on and mention shortly, the original says ‘this regulation applies to the processing of personal data of data subjects who are in the Union’ and ‘the Union’ has been deleted and the words ‘the United Kingdom’ have been added in so John has shared the Keeling Schedule just now so that people can download a copy of that if they want but effectively every time you see ‘the Union’ referred to or ‘institutions of the Union’ referred to in GDPR you can assume its been crossed out and a UK equivalent has been put in so…
John Baines
Adam can I…
Adam Rose
…please jump in.
John Baines
I just make a note that that link that’ve given I think the thing about Keeling Schedules is they are not legal instruments so to the extent we are giving a link to that, it’s not what the law is, it’s the DCMS’s own if you like, working document on how they see GDPR will…
Adam Rose
Agreed and thank you and that’s helpful but it is a worthwhile document having to hand just so you can see in the way things have been adopted for UK GDPR purposes and you will remember under GDPR we have got GDPR and then alongside it we have the UK’s Data Protection Act 2018 and that remains the case post-implementation period, post-transition that UK GDPR will replace GDPR for our relevant purposes and sits alongside the Data Protection Act itself which does various related things. So there are a number of challenges that arise from Brexit relating to data protection and non UK businesses and I will then address it from the other way round as well, that non UK businesses will need to consider if they need to comply with UK GDPR which they will need to do if the processing takes place within the UK or rather they have an establishment in the UK and that’s the sort of guiding mind behind what they are doing, they might need to look at what UK GDPR says and they might also be caught and I mentioned Article 32 just in passing before when looking at the mark-up, they will also be caught by UK GDPR if our rules on extraterritoriality apply which are the flip side of the EU GDPR on extraterritoriality apply because the processing relates to the sovereign of goods or services to individuals in the UK so if you are based in France and you are selling goods or services to individuals here you will need to consider compliance with UK GDPR or if you are monitoring behaviour of individuals in the UK and there is a question as to what monitoring behaviour means then it could mean that certain cookies on your website which are being used by UK people or people in the UK might bring you into the remit of UK GDPR. Nina do you want to jump on to the next slide which is the sort of flip side story which is UK businesses and whether they need to comply with EU GDPR.
They will need to comply with EU GDPR if they UK businesses have an establishment in the EEA, which is the EU 27 plus Norway. Liechtenstein or Iceland and they are within scope of Article 32 of the EU GDPR, in other words the exact opposite of what I have just said, namely they are based here but their processing activities relate to the offering of goods or services to individuals in the EEA, the EU27 plus three or their monitoring behaviour of individuals there and again that might be through cookies and I guess one of the issues that then arises is does the UK Court adopt the same interpretation of UK GDPR as the EU Court adopts the EU GDPR when faced with the same words in Article 32. Let’s sort of not let it get too complicated and worrying and say at least for the time being let’s say yes. So we are faced with equal and opposite mirror reflection rules here and there and then Article 71 of the Withdrawal Agreement, that was the oven ready deal of the last election, Article 71 of the Withdrawal Agreement which only applies if there is no adequacy decision and the news coming out of Brussels to date does suggest no adequacy decision is a, I’d say, a likely outcome by the end of this year but one should never rule anything out in relation to legacy personal data might apply EU GDPR irrespective of where the individuals involved are so it sort of overreaches Article 32 and I will come on in a moment to show that in tabular form. It actually goes beyond, it goes beyond not just individuals in the EU or EEA but individuals anywhere in the world because that’s what applies to us now, that’s what GDPR as we know and love it means, namely we are caught by GDPR at the moment as processors based in the UK, as controllers based in the UK irrespective of where the individuals are and Article 71 of the Withdrawal Agreement maintains that story unless and until, unless and until we have a finding of adequacy and just in passing and I said I don’t think we will have a finding of adequacy by the end of the year, I am sceptical as to whether we will have a finding of adequacy. I think we can come on and talk about that a bit later but I think the mood of the meeting of the European Union would be that the UK is sort of pretty much on the naughty step for GDPR compliance purposes and we do various things which annoy Europe when it comes to data and we don’t take it quite as seriously and therefore I am not convinced we will get adequacy finding but I guess it’s a 50/50 bet so either you agree with me or disagree with me, we’ll find out in due course and until I am wrong I guess I am right. So Nina do you want to jump on to the next slide which I am not expecting people to read in any detail at all and there is certainly no exam at the end of this but what we’ve tried to set out is the rules that we think apply and I can’t stress enough that we ‘think apply’ to, if you look at the top, UK based controllers, EEA based controllers or controllers based in the rest of the world, both during the IP, the implementation period and after the implementation period, in respect of different types of data subjects. Now the fact that we even have to think like this is itself a complicating factor that until, well as at today for example, UK GDPR applies if you are based in the UK and it is as simple as that, there isn’t, there isn’t something else you need to think about and I guess the most complicated area is, is the third row down where you have a UK based controller after the implementation period where the data subject is in Europe but whose data was collected this year or before and there you’ve got the situation where the UK GDPR applies or until there is a finding of adequacy, EU GDPR applies and what EU GDPR is EU GDPR as at the end of this year. So if GDPR moves forward and is amended or in some way revised, revoked whatever, it’s GDPR as at the 31 December 2020 that is going to continue to apply to UK controllers who are controllers of data collected about anyone in Europe after, whose data was collected before the end of this year and continue to process it after the end of this year. So…
Nina O’Sullivan
And Adam you are probably about to come on to it but it is not just anyone in Europe either is it…
Adam Rose
Well and then jump down two rows…
Nina O’Sullivan
…it’s anyone in the rest of the world?
Adam Rose
…jump down two rows precisely and we’ve got the same story, so you’ve got a UK controller who is subject to GDPR because they are a UK controller. No finding of adequacy, they are processing data of say someone in America to whom they have sold a, it doesn’t really matter, a holiday or a pair of socks, it really doesn’t matter whatever your business is, we are selling something or providing or offering to provide goods or services and EU GDPR as at the end of this year will continue to apply to that processing. You do have this potentially sort of really, it’s sort of an infestation of regulation at this point where you have got UK GDPR applying to your UK stuff, you might have EU GDPR applying where your customers are there and you might have effectively what I call ‘old or ossified’ GDPR, the GDPR that stuck in stone as at the end of this year applying to certain other types of processing. Now how that is going to play out in practice… do you want to jump on a slide. How that is going to play out in practice is obviously hard to tell. I suspect most businesses are just going to try and get on with life and say ‘there is only so much red tape that I can bear, there is only so much I am going to deal with in terms of this and as long as I am essentially complying with UK GDPR’ which ultimately the regulator here will be enforcing, that theoretically also enforcing what I call the ossified GDPR maybe we just get on with life and sort of say that was very interesting a lawyer said but nonetheless life is to short and I am getting on with this but there is a risk that a UK business is facing three types of rules; UK GDPR, EU GDPR real life and EU GDPR stuck in stone. It is worth bearing in mind that obviously as at today they are all essentially the same, there is no change to GDPR, EU GDPR is the same as UK GDPR, we have no different judgments but it doesn’t take much to imagine that each might go off on its own course, that the Governments’ directions at a Courts… Court of Appeal level that it can overturn decisions of the European Court could result in, in different outcomes and it is always worth remembering before I hand over to Mark, it’s always worth remembering the historical background to data protection law that Europe takes data protection law really seriously because it really has mattered historically that if you have been on the wrong list you could be killed and the UK has always taken a far more liberal view because we haven’t been run by Nazis or communists and the result of that sort of philosophical historical backdrop is I think one that can’t be underestimated as the UK Courts start investigating and applying UK GDPR to data protection law. I am not even going to go into what happens if the UK decides to come up with an entirely new law and the impact of that but based on what we know today, I think that is the bet that we could say but possibly a multiple, multiple range of different requirements to comply but hopefully all essentially the same frankly for as long as possible.
Nina O’Sullivan
And so would it make sense Adam for businesses to be identified as part of the preparation for the end of the transition period, the legacy personal data?
Adam Rose
Well I guess, I guess in theory, in theory let’s pretend for a moment that this year Christmas doesn’t fall towards the end of December and we have a full six weeks to be doing this, let’s assume that businesses haven’t started doing a whole bunch of sort of due diligence effectively in relation to their, their data, I guess theoretically it would be a good thing for a business to know what data does it hold now, what of that data is relating to individuals not in the UK which a business might or might not know if all they have is my personal email address of adamdanielrose@hotmail.com and I downloaded something. They don’t know whether I am here or there, they might say well that’s an English sounding name but that doesn’t mean I am not in Ireland, it doesn’t mean I am not in America, Canada, Australia or frankly anywhere so I am not sure how… let’s put it this way… I am sure it’s the right thing to do and I am not sure it gets you as far as you need to be getting but that you certainly, companies need to be, I guess companies need to be mindful of roughly where their client base is and if their client base is predominantly let’s say they are a specialist maker of teas from Kent where the market is in France and they know that their market is essentially French, I think they need to be looking at this very seriously. If their market is essentially a UK market with some trade in Europe and some trade beyond Europe, they might take a different view but sort of the lawyers, the strict legal answer is you are absolutely right Nina, yes the reality I suspect is, is a softer version of that.
Nina O’Sullivan
Okay. Thanks Adam. Let’s move on to Mark now then and have a look at some of the other compliance issues that arise as a result of potentially having to comply with both the EU GDPR and the UK version, Mark?
Mark Deem
Great thanks so much Nina, thank you Adam. At the sharp end of GDPR as you know is the compliance regime of potential enforcement action. I very much hope that many of you will not have had to experience this first hand so far. You will know that throughout the EU 27 and the EEA and UK that if the Data Supervisory Authority are the guardians of GDPR, they are the bodies which receive complaints, notifications and have powers of investigation to monitor the application of GFPR to protect fundamental rights in relation to not only processing but the facility of the free flow of personal data within the EU and EEA. Now the appointment of the Data Supervisory Authorities has always been a matter for national law. But GDPR has set out a number of minimum requirements - acting with complete independence, they must be free from external influence, they must not take or seek instructions from anyone else, they need to be well resourced to carry out their tasks and exercise their powers effectively and so, so far so good and Brexit is not going to impact this. The ICO, the Data Supervisory Authority in the UK will continue to be a creature of domestic law and its establishment like other supervisory authorities will be derived from national law. It will continue to have specific competence in relation to the UK in relation to data matters. Now obviously if in due course the UK is going to diverge from the EU in terms of the minimum requirements then the remit of the ICO could in theory change from the 1 January and there would no longer be an obligation on the UK to notify the European Commission of any such changes. However given the nature of the minimum requirements I have just mentioned, it seems to me to be very unlikely that in the short to medium term the ICO is going to look very different in any way from the operations of its EU and EEA counterparts. The one area where we can though and we should expect some change is in relation to the cooperation regime concerning compliance that is in place at the moment. In addition to having specific competence in relation to his own territory, the Data Supervisory Authority’s at the moment also have an obligation to cooperate with other Supervisory Authority’s in relation to cross border matters and some of you may recall that this mechanism which underpins the so called One Stop Shop Regime which I have to say to my mind is perhaps the one feature GDPR which had the potential to save money for businesses and it is the concept that if you carry out cross border processing either through multiple establishments in the EU or even with just one single establishment the Supervisory Authority for the main or single establishment acts as the lead Authority in relation to all compliance activity in relation to that cross border processing. Put at its most simple, in the event of a notifiable data breach involving many member states a notification to the lead Supervisory Authority would generally be sufficient and multiple notifications would not be necessary. Now GDPR also sought to prevent there being any forum shopping and the ETPB offer guidance as to what would be the most likely lead authority. I think it is inevitable that to date companies have been paying attention to the enforcement activity of the Supervisory Authority’s and there may have been some forum shopping going on but that’s just a factor of what has really come about in relation to the one stop shop regime to date.
So where are we going to be when we get to the 1 January? Well the one stop shop mechanism will continue to apply within the EU27 and EEA member states. In addition the UK ICO will not be able to serve as the lead Supervisory Authority for purposes of EU GDPR. Ongoing participation for the UK in the one stop regime is still being discussed at the moment between the Government and the European Data Protection Court, however I think it is fair to say that these discussions seem to relate more to the question of whether or not the EU and EEA Supervisory Authority’s will act as one in relation to a UK based company with cross border activities involving many member states or to put it simply, as the UK will be a non-EU EEA state from the beginning of next year will a UK based company suffer multiple jeopardy of investigations and fines from each of the EU EEA Supervisory Authority’s in relation to activity in those member states or will it just come from a lead Supervisory Authority. Now that’s what happens if we leave matters by default and just leave it to negotiations but rather than do that which might only ever provide us with a short-term fix, I think it is fair to say that if you are engaging in cross border activity it’s worth giving some thought now as to whether or not it makes sense to appoint a lead authority if your organisation trades EEA and EU activities and therefore you bring yourself in the regime where you are dealing with the one stop shop in relation to the UK, sorry the EU or the EEA and one Supervisory Authority, the ICO in relation to the UK. Otherwise I think the risk that we have is that we return to the pre-GDPR days of the prospect of multiple dealings with several authorities, the additional cost, the risk of inconsistency that can be brought about as a result of a single incident which might touch upon a number of different countries within the EU.
There is probably insufficient time today to talk about the nuances of cooperation and what it actually looks like in practice but suffice to say that I think there is a widely held view that cooperation between Supervisory Authorities has broadly worked well thus far and that the loss of cooperation in terms of efficiency and consistency is going to be problematic for businesses. There are two cases that we have been monitoring in this area which necessarily have a bearing on the one stop shop regime, that’s the Google case with unclear CNIL in France and the Facebook case in Belgium. There is not enough time, I think that is going to be for another session we will have to talk about those but we are continuing to monitor those and to the extent they impact on any of this obviously there will be a blog or communication in relation to that.
So I think we now turn to the next position which is in relation to representatives and what you might need to know as a business. Adam referred to a couple of times Article 32 of EU GDPR and the need to appoint an EU based representative in one of the member states where the data subject whose data is processed are located. This rule is not going to change but as Adam explained, instead we are going to certainly have a similar rule in relation to UK GDPR and EU GDPR and therefore unless you can point to an exemption and I will come to talk about what those exemptions might be, if you do not have an establishment in the EEA but you nonetheless offer goods or services to data subjects in the EEA or monitor their behaviour then you are going to need to have an EU representative. A UK representative alone will be insufficient. Equally unless you can point an exemption, again I will come on to those, if you do not have an establishment within the UK but you offer goods or services to data subjects in the UK or monitor their behaviour then you are going to need to have a UK representative and an EU representative alone will not be sufficient. As you can appreciate this has got the potential to increase costs for organisations who will now need to potentially have a UK and an EU representative and on the slide there just by way of a reminder is the fact that the representative is liable for GDPR or UK GDPR breaches committed in the event of non compliance by the controller processor and as an obligation for direct reporting in relation to record keeping cooperation with the Supervisory Authority’s. Now compliance with the appointment of representatives is essentially a matter for the Supervisory Authorities and although we do not expect there to be active and aggressive policing of these matters which will start from the 1 January 2021, as invariably the case questions concerning compliance all come into very sharp focus at the time of any engagement with a Supervisory Authority including for example, in relation to notification when wider compliance issues can be really brought to the fore. So although you may be thinking that this isn’t something you need to engage with, I think it is something that needs to be looked at now because you never quite know when it may come onto the radar of the Supervisory Authorities.
I don’t propose to dwell particularly long on the next slide but I think it is useful as a quick reminder just as to who can comprise a representative for these purposes. The representative can be an individual, a company or an organisation. I think we may have gone on one slide too far there – apologies. The EU representative must be based in an EU state where at least some of the data subjects are located but must be easily accessible for data subjects and other relevant member states but crucially it’s the final point on this slide, information about your appointed representative, the UK representative and/or the EU representative need to be included in the privacy notice and on the website. Okay, I mentioned there are some exemptions or exceptions that are needed or that apply when you are considering whether or not to have a representative. Well there is no real change to these exceptions that is going to be brought about as a result of Brexit but I think it is fair to say that the same exceptions are likely to apply equally to considerations of appointing an EU representative as well as a UK representative. That isn’t to say there is no need for representative where the processing is occasional, does not include large scale processing of the special categories of data and is unlikely to result in a risk arising freedoms of natural persons. Now in this contest occasional generally will be taken to mean not carried out regularly or outside the regular course of business. We get that from the EDPB, that is going to continue to apply but I would be very surprised if there was not a wholesale adoption of that concept of occasion at least in the short to medium term by the UK Supervisory Authority in this context.
And so finally in the context of the compliance, on the final side some actually might think of when you are preparing for the 1 January 2021 over the next six weeks. First and perhaps most importantly you would need to update privacy policy and communications with data subjects. As we have seen, there is a potential depending upon the reach of your organisation to now have both a UK and an EU representative. That needs to be reflected in your privacy policy, it needs to be in your communications. John is going to be saying something shortly about data transfers and that again will lead to there being some further updates as well as some updates in relation to the legal basis underpinning the processing of personal data. Secondly, I just wanted to point out is the final point in the slide that the UK GDPR will require a data protection officer being appointed by reference to precisely the same criteria as you have under GDPR but unlike representatives it can be the same person if that person is easily accessible from both your UK and your EEA establishments but you should really bear in mind that it may be necessary for you to have DPO’s in respect of your UK operations and your EU 27 and EEA operations.
That’s what I want to say about issues of compliance but before handing over to Jon to say a few words about data transfers I think it is worthwhile just touching upon one other matter. And that is in relation to issues concerning marketing cookies and electronic communications. For those long suffering members of the audience who like Nina, John, Adam and me, have long followed the advent and implementation of GDPR over what seems like many, many years now, you may recall that originally the GDPR was conceived of being part of a wider EU framework for data security and privacy and was essentially just one of three pillars to achieve this as part of the digital single market. The original expectation in fact was that all three of these pillars was going to be implemented around the same time and in addition to GDPR you will have been aware of the network information security directive which actually hit the statutory book in the UK about two weeks before GDPR itself. The third pillar is the E privacy regulation which seems to have fallen a little bit by the way side in terms of the attention it has been given more recently and the intention of the E privacy regulation was to update and replace PECR or the Privacy and Electronic Communication Regulations of 2003. That is the legislation dealing with marketing cookies, electronic communications more broadly. Now the E privacy regulation has still not been finalised but it is clear that territorially it will not apply in respect of the UK and so therefore we put it on the slide just to highlight and get on to your radar the prospect that once introduced businesses may still forward in the scope of the E privacy regulation but nonetheless have an ongoing duty to comply with PECR the legislation the E privacy regulation was going to replace but it may have to still apply or comply with PECR in relation to the UK. It is clearly not ideal and we suspect that in due course there is going to be need for this to be revisited but it is worthwhile having on your radar there is going to be dual regime that potentially will apply once E privacy regulation is finalised and introduced sometime during the early part of 2021.
Adam Rose
Can I jump in and say it is almost certain that that is going to be the case since it is hard to imagine that that won’t be the outcome and there will be two, two regimes; one an updated PECR regime applying to European marketing and PECR which presumably under the banner of sovereignty won’t track that one slavishly.
Mark Deem
Absolutely, I agree with that but they still have six weeks to sort it out though.
Adam Rose
Or four and a half if they are celebrating Christmas this year.
Mark Deem
Of course.
Adam Rose
The other thing just to mention is there are a couple of questions came up in the Q&A that Jon and I answered if people want to click on the Q&A at the bottom, you will see there are a couple of questions and a couple of answers and do keep using that facility and we will try and either type the answers or answer the answer orally.
Nina O’Sullivan
That was very efficient of you both thank you.
Adam Rose
Ahead of the game.
Nina O’Sullivan
Thank, thank’s Mark. So yes data transfers so Adam has already highlighted the fact that it’s looking increasingly uncertain that there is going to be this adequacy decision at least by the end of the year from the EU for the UK’s data protection regime and so Jon tell us what does this mean for data transfers?
Jon Baines
Thanks Nina and thanks Mark and Adam. I am actually going to very briefly mention the E privacy regulation again just because Mark talked about it coming into, probably coming into effect in 2021. I think I actually have my doubts about that. I saw that the European Council rejected the German Presidency’s latest proposal last week. I was told a while ago it is not the, then one of the most heavily lobbied against proposals in the history of European legislation. It has taken a long time to get nowhere so far and maybe we will see it in 2021, maybe not but I think other than that rather, rather fatuous observation I agree completely. So data transfer has been really for the past few years, has been quite a burning issue that’s not going to go away. It is easy to make some, some rather simple observations or maybe ones that fall under the category of the bleeding obvious and we will do that but we will also try and dig a little bit into what that might mean in terms of some of the complexities. One of the most bleedingly obviously point is that from 1 January end of implementation period the UK will be in GDPR terms, a third country which means that the general presumption of freedom of movement of data just as with all the other freedoms of movement and under European law, will go so it will no longer be by default straight forward to move personal data across borders to the extent that that border now exists between Europe and the UK. The… if we had been having this talk a year ago I think the majority of people on the panel probably and maybe the majority of experts in general would have assumed that this wasn’t a big problem because the European Commission would or would be about to grant an adequacy decision in respect of the UK and what that means is the Commission determines that the third country has in effect an equivalent level of protection for personal data such that the Commission says it is okay to transfer data between the EU or the EEA and the third country. There are currently twelve countries that have received this adequacy status in the year since 1995 so it is not a straight forward thing but I think a lot of people made the assumption that look the UK has long been part of the European data protection framework, the mere fact that its decided to uncouple itself from the EU doesn’t actually change its compliance with data protection law so surely we’ll get an adequacy decision. Well we are now at… forgive me I forget the date, 17 November and it’s by far from clear whether that will be the case and I think there are a number of reasons for that. Perhaps one of the most obvious is in fact whether to confer an adequacy decision is as much a political and an intensely political decision as it is a legal one. I think we can look at it in this way that if it was straight forward to leave the EU and there were no consequences in terms of freedom of movement of data because the Commission would just say that the country that’s left the EU is fine and its adequate then there might be an encouragement for other countries to take a similar step. So it’s by no means certain that there will be an adequacy determination come 1 January. Indeed just in practical terms there is an argument that until the 1 January comes the process for determining adequacy can’t actually begin so as the slide says, it’s up in the air. I think also given the drift of comments, the tenor of comments coming out from the Government there is a strong suggestion that there may not ultimately be any such decision. There have also been the judgments particularly we note the privacy international decision around whether the UK’s surveillance regime will actually militate against any decision around adequacy.
Adam Rose
Jon, just to jump in on that, I think it is something that you and I have discussed at length previously is of course the risk that the UK goes down a US trade route can’t be ignored and I think if the UK does decide that its best friends with America rather than best friends with Europe, that is certainly heading in that direction and what a Biden Presidency means for that I don’t know but as I said earlier, the UK has always taken a more liberal approach and might see its friendship group across the Atlantic rather than across the channel.
Jon Baines
Yeah indeed and you used the word ‘risk’. Some people might see it as an opportunity. We all have our own personal views.
Mark Deem
And I guess private practice lawyers will see it as an opportunity always.
Jon Baines
Indeed. So if we, if we suppose or if we proceed on an assumption that there will not at least for the let’s say immediate and mid-term future be an adequacy determination, one has to fall back on the other available mechanisms thought for moving personal data from the EEA to the UK and those on the call will probably be reasonably familiar with these but they, they boil down to a few really available mechanisms which we’ve got them on the slide there and I think for the sake of this discussion we can probably strike off the bottom two which are I think it’s exceptions or unlikely examples for general practice. There are binding corporate rules. I think we can probably strike them off because they are a very expensive way of having effectively intragroup transfers between companies. So what we are left with is, is the likelihood that the majority of data transfers from the EEA to the UK will have to be done under standard contractual clauses approved by the European Commission. Some straight forward but many participants will be aware of the, the challenges that have taken place recently to international transfers in general. The Court of Justice of the European Union in July ruled on a complaint that was initiated by Matt Schrems. Now the challenge there was to the agreement between the European Commission and the US, known as Privacy Shield or Privacy Shield according to which side of the Atlantic you come from and the Court struck that decision down. What the Court also did and I think there was a lot of media coverage about this, it didn’t strike down the existing standard contractual clauses and I think a lot of commentators assume well that’s fine we can just carry on as we were, model clauses are good, Court hasn’t struck them down but in fact a close reading of the judgment does raise a number of concerns for the standard contractual clauses and those who are seeking to use them. I think the easiest thing to say is yes they are still available and yes they will be available for cases where transfers from EEA to UK happen but I don’t think they can just be what perhaps too many parties have assumed in the past. They are not just a piece of paper that you effectively sign and then move on. You are going to have to look very closely at them, a case by case assessment of the transfer and we’ve recently had guidance from the European Data Protection Board on what exactly parties need to be doing because the effect of the judgment in Schrems is that I think the irony here is in fact really what the Court did in Schrems was just say look at what the clauses say and what the clauses say is that the parties really should be satisfied and should effectively be putting each other on notice if not, should be satisfied that the law of the importing country is not going to adversely affect the personal data that is being moved to that country and if it is, then there is an obligation on the data importer to notify the data exporter. There is also an obligation on the supervisory authority to intervene so what the EDPB has done is produce guidance on what parties need to do if they are going to be able to rely on standard contractual clauses and they’ve suggested a six step process, some of these are quite obvious so just understand what transfers you are doing and identify what tools, what mechanism you are relying on, assess whether it is effective in the light of the circumstances and if you can’t be certain that the clauses as they are, are sufficient to protect data then you may need to adopt supplementary measures. Now what they might be I am not going to go into detail, the guidance from EDPB is lengthy and quite complex but they are for instance, the EDPB strongly advocate strong encryption and according to the circumstances of the transfer, strong encryption at various stages so in transit and indeed at rest. They advocate maybe split or multipart processing so where one importer can perhaps protect at one point, but can’t after that then you may need to consider well do we need a different provider to do the next bit or perhaps undertakings to denormalisation measures to reduce the risks of the data and I think the take away point is here, if you are going to be using standard contractual clauses don’t just stop there, make sure that you review them, make sure that at least you’ve considered what the underlying law is the country where you are moving data to and adopt these supplementary measures if you can. If you can’t, actually consider whether you still are able to transfer the data to the country and then re-evaluate it at appropriate intervals. What this, what the conclusion is really is that transfers from the EEA to the UK and indeed from the UK to other countries that don’t have an adequacy determination will take place under a certain level of legal and regulatory risk and I think parties need to be aware of that and I think the extent to which they can show that they’ve reviewed their contracts, reviewed their transfers, considered supplementary measures will at least put them in a strong position if they are ultimately challenged.
Adam Rose
The real problem I guess Jon on all of this is, is you see it, twelve countries have got an adequacy finding, twenty seven members of the European Union, the UK, three members of the EEA so there is probably about another hundred and eighty countries that don’t have an adequacy finding and sending data even to sort of Pukka Processors Limited of wherever, you’ve done your due diligence in relation to them and you can say yeah that’s a fine company to send it to but it is in a country that doesn’t have an adequacy finding and in relation to the US is a country that has now two European Court of Justice judgments saying there is something dodgy about that place don’t send it over there and I think this is causing a real issue for businesses that have built themselves up on American based platform but really on platforms it doesn’t matter whether it is Paraguay, Philippians, Puerto Rico, it makes no difference these are all countries that don’t have adequacy findings are cheaper, are convenient, have good time zone benefits for European businesses including UK businesses and I think this is one of those areas where if the UK isn’t careful by going down it’s easy to do business with route, it is going to further undermine the possibility of an adequacy finding.
Jon Baines
Completely and I think it is really important for businesses to understand where the challenges might come from you know, I mentioned the CJOU. Well yes, you know, the Courts that’s a challenge but think about who brought that, it was Max Schrems, he’s a privacy activist, he’s now very much prominent in civil society. Ultimately he is a data subject and so we look at contractual clauses as two parties and will we get into a dispute with each other. Well yes we might but also there’s a regulatory risk and there’s a let’s say, a civil society risk and I think it’s going to be really important as we potentially see this I think, both Adam and Mark referred to it, the possibility that post Brexit there is, there is a drift that the UK moves, diverges from the European model and it may diverge for what seems like sound economic reasons but that drift potentially brings with it legal and regulatory risk. That may be unavoidable but I think no one should be unaware that it exists. I make an observation about this is a bit of advance awareness, I’ve seen a document that’s going to be published tomorrow, an economic analysis of the cost of a lack of an adequacy agreement from the UK which puts it, I think this might actually be rather low, puts the cost at between 1 and 1.6 billion to UK businesses and that cost lies in the need to consider alternative mechanisms for moving personal data across borders and it takes into account the costs of entering into standard contractual clauses. The costs of proper diligence in doing so and what I am not sure it does is the costs of ongoing review of those clauses because as underlying laws in importing countries change then the parties are going to need to consider whether these clauses that they have entered into are still adequate for the purpose so we’ve put on this slide and these slightly chime with the EDPB’s steps of what we think businesses should be doing so take stock of your transfers, assess your contracts and identify the risks, consider the mechanisms and document what you are doing. If you are challenged, especially if it is a regulatory challenge, as I said earlier, you will be in a much better position if you can at least say we’ve considered these things and this is our file which says what we’ve considered. I think what I wouldn’t want to be a business and be faced with is a regulatory investigation and I am just saying well I didn’t really think about it.
Nina O’Sullivan
So Jon I am conscious that the time is moving on. Are you going to… shall we move on now to look at data transfers from the UK.
Jon Baines
Okay.
Nina O’Sullivan
In particular to the US I guess.
Jon Baines
Yeah. So, so as I tend to, I’ve probably already covered part of this but the principle is the UK takes the position that conversely to really how the EU may consider the UK, the UK takes the position that transfers from the UK to the EU/EEA can continue unrestricted so we take the view for now that rather unsurprisingly that the EU has a suitable protection for personal data and that there will be no problems for companies wanting to transfer data into the EU and will continue to recognise those standards. Again though there is politics at play and it wouldn’t be beyond the realms of possibility for that sort of UK Government’s approach to shift. Whether transfers from the UK to non EEA jurisdictions the UK has taken the view that those third countries where the European Commission has conferred adequacy the UK will adopt those so transfers to for instance, Japan and Israel and New Zealand and some of the smaller jurisdictions like the Faro Islands can continue without any alternative measures. The UK has also said it will continue to recognise the existing standard contractual clauses so it is an appropriate safeguard subject also obviously to what I have already said and indeed existing binding corporate rules. Privacy Shield as we’ve said is invalid so that will be invalid, UK companies can’t, can’t rely on that as a mechanism to transfer from the UK to the US and the UK will be adopting in due course its own version of the standard contractual clauses.
Nina O’Sullivan
I think you mentioned earlier Jon that the EU has recently published draft new standard contractual clauses. Do we think the UK will be adopting that version or the version as at the end of this year?
Jon Baines
I think the obvious… I mean the thing is the, the EDPB, sorry the Commission has published its new standard clauses, there is a process to be gone through before they are fully adopted. I think it is likely and I really hope that the UK will try to adopt the modified version, the new version because they do address some of the, the issues that over the years…
Adam Rose
It’s going to be interesting isn’t it whether they get adopted by the 31 December or after the 1 January because they get… the EU could actually play a slightly funny trick on us. They could either adopt them right before the end of this year so they are our law or they could wait just into January and then force the UK to decide whether it really does have sovereignty over these things or whether we just adopt them.
Jon Baines
Yeah. I have just seen a question in, in the chat from Jacqueline Reeves saying isn’t UK negotiating with US for new version of Privacy Shield. Well yes I think so and just as, as the EU is, I think that this is beyond the realms of this talk but I think there are serious questions about whether as a matter of at least European law and to the extent the UK continues to follow that line, whether there will ever be a decision that properly, that is robust from challenge in terms of transfers from the EU or the UK to the US given the US’s surveillance regime. The obvious answer is that the US changes it surveillance regime. I don’t think that’s likely any time soon although Adam did refer to the change in Presidency so I think the answer is yes negotiations continue for new versions of the Privacy Shield but I don’t think they will be the answer just as Safe Harbour before Privacy Shield was not the answer. And transfers from non EEA jurisdictions to the UK well eleven of those countries which are considered adequate by the European Commission have agreed that for the time being there will be unrestricted personal data with the UK, the one exception is Andorra and unless Adam or Mark know why Andorra has not yet agreed that then it remains a mystery to me.
Adam Rose
You touched briefly on group companies and binding corporate rules so the UK will come to recognise those. We mentioned earlier binding corporate rules are exceptions that are normally adopted by very large companies. The EDB has stated that binding corporate rules approved by the UK as in once they have been approved in recent years will need a new supervisory authority in the EU and then a new approval by that EU authority so that is going to be further cost for those companies affected by that and the effect of Schrem’s too is that BCR’s just in the same way as standard contractual clauses need to be subjected to analysis, they can’t be just an assumption that they, they allow transfers without any scrutiny.
Nina O’Sullivan
Thanks Jon. We’ve reached the hour actually and I am really pleased that we were able to answer lots of questions as we went along so thank you to those…
Adam Rose
The really nasty question about whether Northern Ireland was part of the single market or part of the UK market for data protection purposes which I sought to answer in the answers but I don’t know the answer is the answer.
Nina O’Sullivan
Okay. Alright well thank you to all the panellists and thank you to all of you for joining us this afternoon and yes have a great rest of the afternoon and take care. Thanks very much, bye bye.