No Longer Adequate: What an EU Warning Means for Data Processing Operations in the UK
By Saad Gul and Michael E. Slipsky
European Union law requires businesses processing European data to adhere to EU privacy standards. Countries that are recognized as adhering to those standards are entitled to an“adequacy” determination. Data transfers between the EU and countries with “adequacy” determinations, such as Canada or Switzerland, are approved under EU law.
A significant question in privacy circles has been how the UK would accommodate EU standards in the wake of a British withdrawal from the European Union. Aware of the significant implications of the issue, the British government had sought an early “adequacy” determination in an effort to reassure data processors.
As negotiations have dragged on through 2017 however, the prospect of an early adequacy determination receded. Finally, on January 9, 2018, the European Commission issued a “Notice to Stakeholders”. The Notice confirms that following withdrawal from the EU, the UK will be deemed a “third country.” In other words, for data processing purposes, a post-Brexit UK will be on the same legal footing as say, Tunisia.
The Notice reminded all stakeholders of the legal repercussions of processing EU personal data in a third country. This is a tactful reminder that such processing would be prohibited absent an alternative legal basis.
The Notice did reiterate that alternative legal mechanisms remain available even in the absence of an adequacy decision. These include:
· Model contract clauses;
· Binding corporate rules;
· Approved codes of conduct;
· Approved certification mechanisms (such as Privacy Shield in the United States).
Nevertheless, the subtext of the Notice is clear: an adequacy determination is not a foregone conclusion. If an adequacy determination is not negotiated as part of a final Brexit agreements, a possibility that looks increasingly likely, then UK based technology companies, including American firms operating in the UK, will have to rely on one of these alternative mechanisms.
With Brexit scheduled for March 30, 2019, UK based data processors should evaluate their data processing requirements and prepare contingency plans. Come March 2019, they may be glad they did.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or email@example.com. Mike may be reached at 919.783.2851 or firstname.lastname@example.org.