Devil in the Data detail

Saturday 13th August 2016
EU-USA Privacy Shield Courtesy

Data transfers between different jurisdictions help multinational enterprises to maximise benefits generated from data, and harmonise their global operations.  Brexit referendum, however, could seriously impact data transfers between EU and UK, when the UK exits the EU. To avoid business disruption in both UK and  EU operations,  post-Brexit agreements in regard to data transfers and data protection will be needed.  The Privacy Shield between the EU and the US may provide an example to be followed between EU and UK.

  • In a thought provoking article  Breugel authors (left) J. Scott Marcus and (right) Georgios Petropoulost explore a host of issues to better understand the potential impact of Brexit on firms, consider a multinational business with its HQ in London, and subsidiaries in Paris, Frankfurt, and other European capitals.  The London HQ would usually have personnel management responsibilities for the continent located employees. This would be possible only if personnel records for those employees can be freely shared between the company’s locations. Post-Brexit , data transfers such as these might become subject to different regulatory regimes, affecting the firm’s operations. Brexit impact could be even greater for HQ London banks, with digital platforms that require data transfers from EU located employees and clients. Exact impacts of Brexit depend on many factors, including the type of association that UK and  EU establish with one another,  however, the broad outlines of the problem can be inferred with four main possibilities:
  • The UK may somehow continue to be an EU Member State, despite the 23 June vote. 
  • The UK may apply for and be granted membership in the EEA (European Economic Area), like Norway, Iceland and Liechtenstein.
  • The UK and the EU may enact wide-ranging bilateral agreements, as with Switzerland.
  • The UK may have few or no agreements with EU,  the case with most other worldwide countries.

In all four cases, the newly enacted GDPR (General Data Protection Regulation) would govern data transfers from the EU to the UK. The GDPR comes into effect from 25 May 2018 (repealing previous EU privacy framework, Directive 95/46/EC), when UK will probably still be an EU Member State.

In the first two instances  EU/EEA scenario, one could expect little or nothing to change, beyond introducing  the new  privacy framework in 2018. Whether UK is a member of the EU or the EEA, it would be required to fully implement the GDPR (in the absence of a specific contrary agreement) Data transfers between the EU and the UK would presumably not be impacted.

The EU/EEA scenario has its merits, but seems unlikely, since EU or EEA membership would oblige UK to adhere to nearly all EU regulations. The British public would likely view either option as a repudiation of the results of the 23 June referendum. UK is more likely instead become fully independent of the EU and EEA, but possibly subject to bilateral agreements (a go it alone scenario). 

In all instances, the potential irritant is electronic surveillance that the UK government conducts in the interest of national security. Post-Snowden, it is  believed that the UK GCHQ intelligence service participates in mass surveillance as widespread and as indiscriminate as that in the USA, with  GCHQ freely sharing this intelligence with the Americans.

Side note: As the ECJ’s press release notes, “United States public authorities are not themselves subject to [the safe harbour agreement]. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. … ” An additional concern was that “the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and … rectified or erased.”

In a case brought by Austrian privacy activist  (left) Maximilian Schrems, a European Court of Justice (ECJ) ruling on 6 October 2015 invalidated data transfers from the EU to the US under a Safe Harbour agreement that had existed since July 2000. The finding was that the personal data of EU users is not adequately protected when it is transferred to the US from the EU because US firms makes the data available to the U.S. NSA (National Security Agency), for which  Safe Harbour protections were either unavailable or irrelevant (see Marcus & Petropoulos 2016). The EU-US Privacy Shield agreement that has just come into effect addresses these concerns by providing stronger safeguards.

If the UK were to remain an EU/EEA member, data transfers to and from the EU would be governed by Article 23 of the GDPR, which permits Member States to take liberties with data protection and data transfers when doing so “respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard … national security”. It is debatable whether the widespread surveillance in the UK meets this criterion, but as it is a fairly soft criterion it is unlikely to be successfully challenged.

Under the go it alone scenario, the UK would become a third country relative to the GDPR, and transfers of personal data would instead be governed by Articles 45-49 of the GDPR. Our assessment is that the UK will have to go to considerable lengths to enable continued data transfers from the EU.

Article 45 is consistent with the Schrems Decision, but it establishes a much higher threshold for transfers of personal data. In order to establish an adequacy decision (the GDPR equivalent of Safe Harbour), the European Commission would be obliged to take account of “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data”. 

In light of GCHQ activities, the UK would be unlikely to get a free ride. It is highly probable that the UK would be obliged to enter into an agreement very similar to the Privacy Shield that was just agreed between the EU and the United States. Enacting an agreement similar to Privacy Shield would be painful for the UK politically. Moreover, the negotiations to arrive at Privacy Shield are intensive, complex and time-consuming, and the resultant agreement may still be vulnerable to legal challenges.

If no adequacy decision is put in place, some firms might try to circumvent the lack by instead invoking private contract provisions under Article 46 of the GDPR. Since Article 46 largely ignores the Schrems decision, we assume that any such agreements are unlikely to survive judicial appeal to the ECJ, unless provisions similar to those of Privacy Shield are somehow put in place between the UK government and the EU.

Within a corporate group, data transfers may be possible using either the rules of Article 47 of the GDPR, or by obtaining explicit consent to the proposed data transfer from the individual concerned (for example, from the employee).

Under the go it alone scenario, the UK would no longer be subject to EU privacy law, and would need to craft its own. Whether data transfers from the UK might be restricted by the new UK privacy law remains to be seen. The UK would no longer be a party to the data transfer provisions of Privacy Shield, and would have to negotiate new arrangements with the US, assuming that they are concerned about maintaining data privacy. Likewise, they would no longer be a party to EU data transfer agreements with other third countries, such as Switzerland. In regard to data transfers to and from the EU and to other countries as well, as in many other areas, the UK is entering a period of considerable uncertainty and complexity.

Custom Search

Scotland, Computer News in Scotland, Technology News in Scotland, Computing in Scotland, Web news in Scotland computers, Internet, Communications, advances in communications, communications in Scotland, Energy, Scottish energy, Materials, Biomedicine, Biomedicine in Scotland, articles in Biomedicine, Scottish business, business news in Scotland.

Website : beachshore