U.S.-Bound Data From EU May Need Reroute Post-Brexit

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George R. Lynch

Aug. 16 — It may not be smart for companies to schedule European Union data bound for the U.S. for a layover in the post-Brexit U.K., privacy professionals told Bloomberg BNA.

Advantages companies saw in having data transfers to the U.S. launch from the U.K. with its perceived business-friendly, mature privacy compliance system may well be outweighed by the uncertain future status of the country in the EU data protection framework, they said.

Although nothing will change for at least two years, companies need to follow developments, because, “like most compliance work, the earlier you know what the requirements will be, the more time you’ll be able to transition to a new regime,” Kenneth K. Dort, partner and chairman of the Technology Committee at Drinker, Biddle & Reath LLP, in Chicago, told Bloomberg BNA.

Brexit Map
Uncertain Post-Brexit Relationship With EU

The exact nature of any new data transfer regime will be in limbo until the U.K. decides whether it will remain a member of the European Economic Area (EEA) and what kind of data protection law it puts in place.

U.K. voters decided to leave the EU—commonly known as Brexit—in a referendum held June 24.

But the U.K. still has to initiate the Article 50 withdrawal in accordance with the Lisbon Treaty, which gives the U.K. and EU two years to negotiate the U.K.’s official exit from the EU. It’s unclear when the U.K. government will make its Article 50 declaration, but it recently announced that it won't trigger Article 50 until at least 2017.

Within that two-year period, the U.K. will have to decide whether it wants to remain in the EEA, and maintain a relationship with the EU—similar to Norway's current arrangement—leave the EEA or come up with some other option. Because the May 2018 effective date of the new EU General Data Protection Regulation (GDPR) will precede the close of the two-year Brexit negotiations, the U.K. will likely be covered by the GDPR for a short time. After that if the U.K. wants to continue receiving personal data from the EU it will need to ensure that its privacy laws will be found adequate by the bloc.

“Brexit certainly isn't the end of cross-border data transfers. Multinational companies operating in the U.K. should still prepare for the new EU data protection rules (which are likely to apply before any Brexit), and monitor for any changes in the U.K. approach to data privacy,” Anahita Thoms, data protection counsel at Freshfields Bruckhaus Deringer LLP in New York, told Bloomberg BNA.

Robert Johnson, legal director at Reynolds Porter Chamberlain in London, told Bloomberg BNA that Brexit may potentially open up to scrutiny any aspect of a data transfer involving the U.K., depending on what the new U.K. regime looks like.

Given the uncertainty, it would make sense for companies to avoid transferring data through the U.K., and instead route data straight from the EU to the U.S., Johnson said.

“These companies might find it easier to locate a data center operation within the (remaining) EU, rather than in the U.K., or move to cloud service providers that have an EU-only cloud,” he said.

U.K. Layover

Many companies that transfer EU data to the U.S. have affiliates spread across the EU, and may first transfer the data to a “first among equals” affiliate in the U.K. before it's transferred on to the U.S., Dort said.

This route allows companies to minimize compliance obligations in the first EU country where the data is collected.

“The reason companies may send data to the U.K. before transferring it to the U.S. is that U.K. local regulations are somewhat less strict than continental regulations such as in France and Germany, which is the reason why a lot of EU jurisdictions looks at the U.K. as a quasi-U.S. in terms of data security,” Dort said.

Companies that used this method before the Brexit vote need to prepare for changes in the mechanism used to send data from the EU into the U.K., and also how that data then legally moves to the U.S.

William Long, partner at Sidley Austin LLP in London and member of the firm's Privacy, Data Security and Information Law practice, said that “following Brexit companies transferring personal data from the EU to the U.K. and then onto the U.S. will want to make sure such transfers from the EU are done in compliance with EU data protection requirements.”

U.K. Privacy Law Adequate?

The data transfer regime that will emerge will largely depend on whether the U.K. remains part of the EEA, and if it doesn’t, whether it is deemed to provide adequate protection, or be “white-listed” by the European Commission, the EU's executive arm.

“The U.K. will most likely be considered a safe (or ‘adequate') destination for personal data,” Giles Pratt, information technology partner at Freshfields Bruckhaus & Deringer in London, told Bloomberg BNA.

The most important question, however, is which route the U.K. will go. It could follow the Norwegian model, and remain in the EEA while apart from the EU, or the Swiss model, where it's outside the EU and EEA but is white-listed by the Commission. The Norwegian model won't cause any change in the data transfer regime, according to privacy professionals.

European Economic Area

Jörg Hladjk, of counsel for Cybersecurity, Privacy and Data Security at Jones Day in Brussels, told Bloomberg BNA that If the U.K. decides to remain in the EEA, “the EU would most likely require U.K. law to implement the GDPR (or very similar rules) as part of the commitment for access to the single market.”

Long said that The U.K. would still be deemed adequate in this case, so no changes in data transfer mechanisms would be necessary.

Johnson said that in the event that the U.K. leaves the EEA, “it would be reasonable to expect that the U.K. will apply to get a white-listed status from the European Commission for international data transfers.”

Long said that if the U.K. is white-listed by the European Commission, model clauses between organizations located in the EEA and organizations in the U.K. won't be necessary.

Whether the U.K. is white-listed will depend on what data protection laws it puts in place. The U.K. is currently governed by the Data Protection Act, but the GDPR will take effect in May 2018 if no other legislation is passed.

Rohan Massey, partner at Ropes & Gray LLP in London and head of the firm's privacy and data security practice in Europe, said that “The adoption of legislation equal to the GDPR will provide the basis for an EU finding of adequacy and placing the U.K. on the white list.”

The ICO has already made clear that U.K. data protection law should be consistent with new EU standards, but Johnson said that although it's unlike to move too far from the GDPR model, “it's possible that the U.K. government will try to avoid implementing some of the more onerous parts of the GDPR.”

The only countries that have been found to have adequate privacy regimes are Andorra, Argentina, Canada, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Uruguay and Switzerland.

The most significant changes for companies will arise if the U.K. leaves the EEA and the European Commission declines to deem it to have adequate privacy laws.

Pratt said that in the absence of being white-listed, model clauses and Binding Corporate Rules (BCRs) will be the two main options for personal data transfers from the EU to the U.K., unless the EU and U.K. negotiated a program similar to the Privacy Shield.

Johnson said that “if white-listed status isn't achieved, U.K. companies are likely to have the extra burden of having to enter into a web of Model Contract arrangements.”

Existing BCRs are unlikely to be affected by Brexit, unless the lead privacy office that approved a BCR is the U.K. Information Commissioner's Office, in which case “it may be necessary for the role of the lead DPA to be transitioned from the U.K. to a lead data protection authority in another EU member state before or on Brexit,” Long said.

U.K. to U.S. Transfers

If the U.K. has to prove its adequacy for data protection, using it as a data transfer hub “becomes less attractive,” Johnson said.

Companies in the EU should try to cut the U.K. out of the loop by sending data directly to the U.S. using model clauses or the EU-U.S. Privacy Shield data transfer program Johnson said.

Although the U.S. hasn't been held by the European Commission to have an adequate privacy regime, it has decided that the Privacy Shield provides adequate privacy. The Privacy Shield was launched as a replacement for the invalidated U.S.-EU Safe Harbor program used by than 4,000 U.S. companies and tens of thousands of EU companies to legitimize their transfers of the personal data of EU citizens to the U.S. The program, which launched Aug. 1, allows U.S. companies to self-certify to the U.S. Department of Commerce their agreement to abide by privacy principles outlined in the pact.

It may be easier for companies to put their data centers in a remaining EU country or use an EU-only cloud service rather than continue sending data to the U.K., Johnson said.

Companies shouldn't leave themselves with only one option for data transfers, and should “think about implementing EU-U.S. Privacy Shield protocols at the same time so you can give yourself the best of two options over the medium to long term,” Dort said.

To contact the reporter on this story: George R. Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.