The end of the EU-US Privacy Shield scheme – One aspect of a larger problem with ‘sensitive data’ transfer between the UK and the EU
A decision by the The Court of Justice of the European Union (CJEU) has just rendered the EU-USA Privacy Shield invalid. This is what allows EU members to move data to the USA without worrying about GDPR. Allegedly – it was always more popular in the USA then in the EU.
So, colour me very unsurprised. The EU Data Protection people I met disliked Privacy Shield. With good reason given US security laws that, in effect, give their spooks access to anything they want – as long as it is stored or processed by a US-owned firm.
This matters because the EU takes the privacy of sensitive personal information about EU citizens very seriously, the USA much less so. You may think that the status quo is working OK, and there is no reason for it to change. There is, we are currently in a Transition period and still being treated as a member of the EU, more or less; this will stop at the end of 2020 and (unless a deal gets negotiated) we will then be fully outside of the EU.
So, imagine this use case: a UK company trades globally and has customers both in the USA and the EU, and uses a US-owned SaaS product. I have heard a US company tell its customers that Privacy Shield was an absolute panacea against any GDPR issues. It never was and, to be fair, the one I’m thinking of built/is building EU data centres (not I hope, just in London, as we aren’t in the EU any longer), because their UK and EU customers simply didn’t believe its assurances.
But how good are the US SaaS provider’s internal procedures at ensuring that no sensitive data on an EU server can ever find its way onto a US server, perhaps as a backup or contingency file? And would it refuse to hand over EU data from its EU servers if an American security agency asked for them? Until now, it probably relied on Privacy Shield to cover such eventualities. Whether that worked or not in the past, now it definitely doesn’t. I await some test cases with interest – the GDPR regulations have teeth and are more concerned with the principles of data privacy than the letter of the law anyway.
My understanding, based on lectures at the IoD on the impact of Brexit a year or so back, is that this is one aspect of a far bigger potential problem for any UK company that allows the sensitive data of EU citizens, perhaps domiciled in the UK, onto its databases. The EU expects this EU data to have the same “adequate” level of protection in these UK databases as it would have in the EU – and this protection is determined as “adequate” by the EU data protection authorities. Boris Johnson can’t attain “adequacy” unilaterally by implementing GDPR in the UK (no matter what he says), this has to be granted by the EU (and parts of Germany that are very hot on privacy have, in effect, a veto).
As far as I can see, there are five possible (more or less sensible) consequences for a UK company that currently sells to EU citizens (but please do check this with your lawyers; and make sure that they really do understand GDPR):
- It follows UK GDPR rules and hopes that no EU citizen minds. That is very high risk, so I hope its risk management processes are first-rate. The Privacy Shield case shows that some EU citizens really do care about privacy (the EU regulators certainly do); the GDPR fines can be swingeing (I’d think they’d fall on any company representatives in the EU); and the EU regulators have a reputation for liking high profile test cases that remind firms that. GDPR matters.
- It refuses to trade with any EU citizens under any circumstances. That might be hard to enforce and has business implications, but it may be the simplest way out for many SME UK-only traders. Post Brexit, the whole world may not be our oyster.
- It sets up its customer database in the EU and only stores and processes the data of EU citizens in the EU. That is non-trivial (simply accessing sensitive data from the UK office probably breaks GDPR) but feasible. I hope the company is already well on the way with this project, if it takes this route.
- The company simply moves to the EU and sets up business there. Hard luck for UK Plc. – and quite disruptive for the company.
- The company sets up Standard Contractual Clauses (SCCs) for the transfer of sensitive data, in the context of a GDPR-compliant privacy program. This is probably going to be the least-worst option, in practice, but it is non-trivial, IMO, and is also subject to legal challenge. It will not be further considered here, except to say that GDPR-aware US companies are probably already pursuing this route and have the resources to do so. I don’t think that this is any sort of simple panacea – but do talk to your lawyers if you think you are affected by SCCs or want to implement them, don’t just take someone’s word as to their adequacy.
There is a possible sixth consequence. Everybody ignores this cross-border sensitive data transfer issue until the day after transition ends – and chaos ensues. Or perhaps, with rather a lot of luck and good-will, nothing happens. But in a long life I’ve usually found that ignoring a potentially serious problem and hoping that it just goes away, tends to end up being very expensive.
What would be extremely nice, as part of any sort of Brexit deal, is an ‘adequacy decision’ from the EU covering the UK implementation of GDPR – but there are serious difficulties with this (when the UK rejects the EU’s Charter of Fundamental Human Rights, data privacy is no longer a fundamental human right, for example), so don’t hold your breath.
To summarise, what this all means is that managing cross-border data movements between EU and non-EU countries really does matter, largely because of GDPR and because the regulations have to be agreed with the EU and can’t be implemented unilaterally by the UK. This is a particular problem for the UK (as opposed to, say, Australia) because UK business has been heavily integrated with EU business for a long time. It is very hard to see how UK-EU trade can operate without some movement of the sensitive data of EU citizens between the EU and the UK and UK companies should already have started to address the implications of this issue. Has your company started on this yet?