With the prospect of a no-deal Brexit becoming likelier by the day, tech policy & regulation specialist Heather Burns explains how to prepare your data flows for a disorderly exit from the EU.
As the 29th of March approaches faster than any of us are able to comprehend, businesses have been left with little choice but to prepare for a no-deal Brexit scenario. 80% of the UK’s businesses trade in services, and data flows are their fundamental product. Those flows, as with so many other areas of commerce, have been rendered collateral damage in a political game no-one voted to play.
Over the past week, both the EU and the UK’s data protection regulators have issued new guidance for service businesses on how to prepare for disruption to data flows in the event of a no-deal Brexit. The guidance is relatively straightforward, building on the documentation processes required for healthy GDPR compliance which should be second nature by now; it is in no one’s interest for data flows to end at the stroke of midnight.
Both sets of guidance, however, presume that those no-deal preparations would be a stopgap between the European Union and an adequacy arrangement. It is important to understand why that may not be the case.
Deep feelings of inadequacy
In September 2018 the Department for Culture, Media, and Sport, published its first guidance on what would happen to data protection in the event of a “no deal” Brexit. In the report, DCMS boasted that “[i]n recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”
Their on-message egotism - "We’re alright, Jack" - did not address the actual problem for service businesses. In a no-deal scenario, the flow of information travelling in the other direction – from the EU to the UK – becomes the responsibility of every recipient to create a legal structure for in lieu of what we took for granted under the single market. This duct-tape approach must suffice until an adequacy agreement - meaning recognition of the post-Brexit UK as an adequate host for European data - is hammered out.
In a no-deal scenario, the flow of information travelling in the other direction – from the EU to the UK – becomes the responsibility of every recipient to create a legal structure for in lieu of what we took for granted under the single market.
That adequacy agreement is by no means assured. The UK’s data protection adequacy within the European Union has hung by a thread for several years, thanks in no small part to the mass surveillance programmes championed by Theresa May during her time as Home Secretary. On the same day that DCMS’s first “no deal” guidance was published in September, the European Court of Human Rights ruled that the UK’s mass data interception and retention programmes were “unlawful and incompatible with the conditions necessary for a democratic society.” This judgement, and the UK government’s Brexit-tied inability to respond to it, will absolutely contribute to the process of deciding whether the UK is worthy of a post-EU adequacy decision.
Despite the red tops’ best attempt to paint these risks to adequacy as European intransigence, the simple fact is that the process to evaluate adequacy cannot begin until after the UK has left the European Union. It is not possible to evaluate a third country which is not a third country yet. Once the UK is a third country, we should not expect an adequacy agreement to be finalised for at least two years.
What does this domestic quagmire mean for customer service businesses? Until an adequacy decision is granted - assuming it ever is - businesses must explore standard contractual clauses, derogations, or the other commercial mechanisms normally associated with corporations and fully staffed legal departments, in addition to being extremely diligent with their ongoing documentation and compliance processes.
What you need to do to prepare
This month, the Information Commissioner’s Office (ICO) has released updated and simplified guidance for businesses to use to prepare for the impact of a no-deal on data flows. Businesses which invested time and resources into preparing for GDPR last year will find this guidance fairly simple, as it builds on the steps you will have already taken to come into healthy compliance:
- Continue to comply to GDPR standards, including the resourcing and support of your Data Protection Officer;
- Review inbound data flows from the EU to the UK, the safeguards you use on your side, and the structural process for those transfers (contracts, binding corporate resolutions, or GDPR derogations);
- Review outbound data flows from the UK to the EU, which can continue as before;
- Review your European operations, including identifying which country will act as your lead supervisory authority and whether you need to appoint a European representative within the EEA;
- Update your privacy notices, customer-facing information, and internal documentation for changes to terminology about data transfers, domestic and EU law, and non-EEA flows such as Privacy Shield; and
- Raise awareness across your organisation on the continuing issues at hand, regardless of a deal or a no-deal scenario. This includes day-to-day operations such as your risk register as well as Director-level awareness.
For the second preparation point - reviewing inbound data flows - ICO has released a tool to help you build standard contractual clauses for data flowing from the EEA to the UK. While the tool provides suggested language, it must be used as part of a thorough due diligence approach; it is not the solution in and of itself.
UK businesses enrolled in the US-EU Privacy Shield programme should look at the guidance the US has released for both deal and no-deal scenarios, including the model language to update in your privacy notices.
Outside the EU, this month the European Data Protection Board (EPDB) has also released two factsheets to help UK businesses prepare for a no-deal. While generally similar to the ICO’s guidance, it is more legalistic and less friendly; and who could blame them for that? Crucially, the guidance includes the steps that businesses using Binding Corporate Resolutions (BCRs) should take to prepare for the loss of ICO their lead supervisory authority.
The clock is ticking
But are all of these precautions really necessary?
The hard answer is yes. I have monitored government’s approach to Brexit and the digital sector for two years. In that time, government’s attitude against the sector has dramatically hardened. Tech companies have been blamed for everything from teenage suicide to the promotion of terrorism; the imminent loss of the only legal framework the sector has ever known has been called an “advantage” for the United Kingdom; and the official vision for the tech sector has openly shifted from the growing the economy to controlling personal behaviour.
Indeed, as I write this article, the Ministers for Culture and Digital are not in Westminster safeguarding British digital businesses; rather, they are touring Silicon Valley lecturing American tech giants about morality.
After two years of Brexit preparation, the message from government could not be clearer. When it comes to digital regulation and our withdrawal from the EU, businesses can expect no sympathy or support. It falls to you to take back control and safeguard your data flows yourself. Start now.
Heather Burns is a tech policy and regulatory specialist from Glasgow, Scotland. She monitors Brexit’s impact on the digital and tech sectors at https://afterbrexit.tech.