So far, much of the discussion surrounding last week's Court of Justice of the European Union "Schrems II" decision has focused on the implications for personal data transfers to the United States or other non-European countries, but its impact will be felt in the U.K., as well, and add a further layer of complexity for companies preparing for Dec. 31, when the Brexit transition period will end.
The key question at this stage is whether the U.K. will be successful in securing an adequacy finding from the European Commission by that date or whether it will be considered a "third country" for which data transfers will need to be legitimized by appropriate safeguards, as is the case for other third countries with no finding of adequacy. In addition, the post-Brexit U.K. will be a separate legal regime from that of the EU, which companies will need to consider separately from the EU data transfer rules.
In light of the ongoing uncertainty, set out below are the important initial steps that companies transferring data to and from the U.K. should consider at this stage.
Keep in mind the implications for UK adequacy
Organizations will need to be mindful that the decision and its heavy focus on government surveillance may have implications for U.K. adequacy. While the adequacy assessment for the U.K. is currently underway, a U.K. adequacy finding is by no means a given. Given that the EU-U.S. Privacy Shield appears to have been invalidated primarily because of concerns about U.S. law and practice on government surveillance, similar arguments could be made in relation to the U.K. adequacy assessment. This is particularly so in view of the broad powers of the U.K. authorities to intercept communications and require access to data under the Investigatory Powers Act 2016. Companies should, therefore, start to prepare for the possibility that the U.K. may not be successful in securing an adequacy finding and begin to consider alternative mechanisms to legitimize transfers to the U.K. from the European Economic Area as discussed in more detail below.
Transfers from the EEA to the UK
Without an adequacy decision for the U.K., organizations transferring personal data from the EEA to the U.K. will need to put in place a data transfer mechanism to legitimize the transfer to the U.K. or identify another means to justify the transfer.
Given that the CJEU has upheld the validity of the EU SCCs in "Schrems II," the good news is that the SCCs remain an option for transfers from the EEA to the U.K.
That said, the judgment clearly places a burden on data exporters relying on SCCs to carry out case-by-case assessments of the extent to which data will be protected in the destination country, including in the U.K., particularly with regard to the legal regime in that country and access to that data by the national public authorities.
In addition, companies should be mindful that any SCCs could be vulnerable to regulatory scrutiny from European data protection authorities if in practice it would be impossible for a U.K.-based data importer to comply with the SCCs. Again, given the emphasis which "Schrems II" places on the U.S. authorities' powers of surveillance and access to data, similar arguments could well come up in relation to the powers of the U.K. authorities in this respect and in particular the IPA 2016.
As such, given the increased uncertainty that now surrounds reliance on the SCCs, companies transferring data from the EEA to the U.K. should also begin to consider any alternative mechanisms that might be relied on in their stead (such as binding corporate rules or Article 49 derogations).
Transfers from the UK to the EEA
For transfers of personal data from the U.K. to the EEA, the U.K. government has indicated its intention to ensure that personal data can continue to flow freely from the U.K. to the EEA following the transition period and intends to recognize the EEA and jurisdictions subject to an adequacy decision by the European Commission as “adequate” for the purposes of U.K. data protection law. This will allow personal data to continue being transferred from the U.K. to the EEA without needing to put SCCs or other safeguards in place (in contrast to the position for EEA-U.K. transfers). Assuming the position of the U.K. government on this point does not change, "Schrems II" does not change this position.
Transfers from the UK to the US and other third countries
The U.K. Information Commissioner's Office has stated that for the time being, companies currently relying on Privacy Shield to transfer personal data to the U.S. can continue to do so, although organizations not already relying on it should not start to do so now.
In the short term, this statement will be reassuring for U.K.-based data exporters and suggests there may be little immediate risk of enforcement action from the ICO for continued reliance on Privacy Shield. The ICO has also indicated, however, that it is reviewing its current guidance on SCCs and Privacy Shield in light of the decision, and so the ICO's position could well change in the near future. Organizations should, therefore, watch for updated guidance from the ICO in the coming weeks.
Longer term, the position in relation to U.K.-U.S. data transfers is much less clear.
Prior to the decision, the U.K. government was making preparations to allow data transfers to the U.S. under a modified Privacy Shield arrangement after the end of the Brexit transition period, but it remains to be seen whether the U.K. will now change its approach in light of the decision. Therefore, organizations should begin preparing for the possibility that a U.K.-U.S. Privacy Shield (or something like it) will not be an option for U.K.-U.S. transfers after the end of the transition period and that they may need to rely on alternative mechanisms to legitimize these transfers. Moreover, even if the U.K. were to continue down this path, companies would still need to consider whether it is feasible to participate in Privacy Shield for U.K. to U.S. transfers and a different transfer mechanism for transfers from the EEA.
Companies should also be aware that the decision will have implications for data transfers from the U.K. to third countries other than the U.S. Because the decision is still binding on the U.K. courts, data exporters relying on the SCCs will need to make the same assessment as companies transferring data from the EEA in respect of the data importer's practical ability to comply, in view of the level of protection provided by the relevant third country's legal system for the data transferred.
Continue monitoring developments
At the time of writing, DPAs, including the ICO, are still digesting the judgment, and its interpretation is still evolving. We should, therefore, expect more guidance and statements to be issued in the coming weeks, both from the ICO and DPAs in the remaining EU member states. Companies should, therefore, continue to watch for further developments and adjust plans accordingly if necessary.