Post-Brexit: International Data Transfers and the GDPR
As sovereign trade deals hang in the balance amid ongoing Brexit talks, Software-as-a-Service (“SaaS”) businesses are preparing for the end of the Brexit transition period regarding the international transfer of personal data.
The transition period allows the UK to remain in both the EU customs union and single market otherwise allowing it to continue pre-Brexit until December 31, 2020 when the transition period ends, and the UK is no longer a part of the EU. When the UK ceases to be a part of the EU, international data transfer anxiety will start to kick in and be reflected in ordinary SaaS agreements.
Come January 1, 2021, the UK will be considered a third country for the purposes of the General Data Protection Regulation (the “GDPR”). In order to facilitate international transfers of personal data from the EU to third countries, the GDPR sets out various transfer mechanisms.
One such mechanism applicable to SaaS companies is an adequacy decision. Article 45 of the GDPR permits international transfers of personal data from the EU to third countries that the EU Commission has decided ensures an “adequate level of data protection.”
As noted above, the GDPR will continue to apply to the UK until December 31, 2020. During this period and after if the EU Commission so chooses, the EU Commission will need to assess the UK’s adequacy before it grants any adequacy decision; this process has yet to take place. As it relates to the UK, when assessing whether to grant an adequacy decision, Article 45 sets out that the EU Commission must consider, in particular:
1. The UK’s respect for the rule of law, human rights and fundamental freedoms, the protection provided relevant legislation (both general and sectoral), public security, defense, national security and criminal law and the access of public authorities to personal data, rules for the onward transfer of personal data to another third country, the existence of effective and enforceable rights for individuals and effective administrative and judicial redress for individuals whose personal data is being transferred;
2. The existence and effective functioning of independent supervisory authorities in the UK, adequate enforcement powers, the ability of individuals to exercise their rights and measures enabling cooperation with the supervisory authorities of the EU Member States; and
3. The international commitments into which the UK has entered.
However, the UK’s adequacy decision is more complex than what is required by the GDPR.
Even though the UK has been subject to the GDPR as a member of the EU since GDPR’s effective date in May 2018, the Schrems II ruling against Facebook in the European Court of Justice in July 2020 highlights that the EU, in terms of data protection, is concerned with the general exercise of government surveillance for the purposes of national security.
So, even though the UK was deemed adequate while a member of the EU, it now has to reconcile its Regulation of Investigatory Powers Act and other relevant legislation with the Schrems II decision before the EU Commission will grant a favorable adequacy decision.
Even if the EU Commission does grant a favorable decision, it must subsequently monitor developments in the UK and, if it considers that the UK no longer provides an adequate level of protection, it can repeal, amend, or suspend its decision. Thus, the EU Commission will not want to grant an adequacy decision to the UK only to repeal it if the UK changes its regime down the line.
Without an adequacy decision, on a contract-by-contract basis, parties in the SaaS space often rely on the Standard Contractual Clauses (“SCCs”) as an appropriate safeguard under Article 46 to normalize international data transfers. While commonly used, those who are not accustomed to the SCCs may not fully understand the complicated and potentially expensive safeguards that are required by the SCCs.
Further, while the Court of Justice did not strike down the validity of the SCCs in its Schrems II decision, it did place substantial uncertainty as to its assurances for providing adequate safeguards for international data transfers. Since then, the EU Commission, who has the power to amend the SCCs, has published a draft set of new Standard Contractual Clauses, which are open for public consultation until December 10, 2020.
Once approved, the new SCCs will replace the current SCCs and companies will have twelve (12) months from the effective date of the new SCCs to replace any existing contracts with the old SCCs. The final SCCs are expected to be adopted in early 2021.
Therefore, companies must understand the current SCCs as well as the new SCCs if they are going to rely on SCCs to transfer personal data from the EU to the UK especially as an adequacy decision is unlikely in the immediate future.
If you are a business that has questions about data privacy laws and how the laws impact your business, contact the Founders Legal team.