Yesterday, ScotlandIS Head of Data, Katy Guthrie, hosted a roundtable to focus on the impact of the end of the Brexit transition agreement on international data flows.
We heard from Martin Sloan, Data & Tech Partner at Brodies LLP, on what the impact is and the additional steps needed if an adequacy agreement cannot be reached in time. Joe Jones, Head of International Data Transfers at DCMS, talked about the work the UK government is doing to negotiate an adequacy agreement, and of some opportunities the new regime might bring. Finally, we also had David Freeland, Principal Policy Adviser at ICO, to bring along the regulator perspective and highlight ICO guidance.
Some key takeaways from this session:-
- Initially, organisations need to understand what constitutes a “cross border data flow” to know where their impacts might be. For example: If data is input in the EU but hosted in UK, this is a cross border flow. IT support work undertaken in the UK which involves looking at data in EEA is also a cross border flow. Similarly, storing personnel data in the UK for a large corporation with staff in EEA may also constitute a cross border transfer.
- Organisations also need to understand what intra-EEA cross border data flows they are already engaged in.
- The UK governement have already agreed that data can flow from UK to EEA countries. Flows of data from EEA to UK are more impacted, as the EU has not yet agreed to consider UK data protection legislation sufficient; in part, due to concerns around law enforcement access to required data.
- At the end of the transition period GDPR will cease to apply to UK; instead we will have “UK GDPR”. UK GDPR will be equivalent, however UK based companies who provide services to EEA citizens will be “dual-regulated” by both ICO and the EEA regulator. Organisations may therefore need to consider having a representative in the EEA. There is also potential for UK GDPR and European GDPR to diverge in future.
- Organisations need to ensure that appropriate Standard Contractual Clauses are in place, in the event the EEA do not reach a finding of UK adequacy.
- Through negotiations to date, flows of UK data to the 12 countries which the EEA have an existing adequacy agreement with can also continue (eg. New Zealand, Argentina). Of those countries, only Andorra has currently not ruled to allow Andorran data to flow into the UK.
- In future, there is the opportunity for the UK to negotiate agreements with countries not currently covered by any of the EU’s arrangements to help encourage trade, so it will be important for government to understand where these opportunities should lie. This is obviously less immediate and likely an area of interest after the end of 2020.
- It’s possible that the lack of an adequacy agreement may act a disincentive for European companies to outsource IT operations to UK based providers. It’s therefore important that organisations understand the implications to help provide additional confidence, though ultimately the decisions and negotiations of governments are of greater influence.
- The SHREMS II judgement, which has been in the news recently, resulted in the removal of the EU:US Privacy Shield. This means that there is no longer an approved mechanism for protecting the transfer of personal data from the EU to the US. The implications of this are still playing out, but will likely place an additional burden on organisations to carry out due diligence.
Finally, there are a number of resources available to help organisations, and we would very much encourage companies to read through the ICO guidance.
- ICO guidance on data protection at the end of the transition period
- ICO guidance on international transfers
- EDPB FAQs following the Schrems II case
In addition, Brodies LLP have also published some guidance.
To conclude, this is an area which many organisations need to think more about, to understand the steps they need to take ahead of the end of the transition state.
Note, we are planning to run a similar event in collaboration with Scottish Council for Development and Industry. This will be focussed across the whole economy rather than just digital technology companies; if you are interested in taking part to learn more, please get in touch with Katy Guthrie at firstname.lastname@example.org.