People, the data transfers to and from the UK will be fine
With Brexit looking to be more and more of a disorganized disaster every day, I’m starting to see those pesky articles about post-Brexit personal data transfers pop up again. As well they should, I suppose. When the U.K. leaves the EU, the law will certainly be different and there will, indeed, be some uncertainty.
I know lots of you compliance types hate uncertainty. I get it. But I’m here to tell you it’s not going to be a big deal.
How do I know? I watched what happened when Safe Harbor got shot down by the Court of Justice of the European Union in October 2015. What’s that? What’s “Safe Harbor”? Don’t tell me you’ve forgotten already!
Just kidding. I’m sure you remember how that dude Max Schrems — snowboarder, lawyer, dilettante, and general pain in the tech industry’s neck — had his case heard by the CJEU and the Safe Harbor agreement, which allowed for certain organizations to transfer personal data out of the EU and into the United States, was ruled illegal and therefore null and void.
I’m sure you remember, because it was a BIG DEAL. The IAPP web site saw unprecedented traffic. Two thousand people showed up for a conference call/web conference we held (which cost a bunch of money, by the way - those web conference platforms are thieves). Articles were written. Bad metaphors were created. How would all of these U.S. companies (and EU companies, for that matter) transfer data? Their businesses would come to a halt!
And yet … literally nothing happened [mea culpa: I forgot about the whacky Hamburg DPA, which fined three companies 11,000 euros or so each]. In the time it took for the U.S. government and the EU to iron out the Privacy Shield that replaced Safe Harbor, all the way until July of 2016, exactly zero enforcement actions came down against organizations transferring personal data from the EU to the U.S.
Did the thousands of organizations that were self-certifying under Safe Harbor all suddenly stop transferring personal data? No. Did they all suddenly attach standard contractual clauses to every single data transfer? I don’t think so. Did they all immediately apply for and have granted binding corporate rules? Ha.
No, seriously. HAHAHAHAHA. These binding corporate rules are so important to international data transfer that the European Commission hasn’t even updated the list of approved BCRs since May of 2018! And it’s still a list of, like, 125 companies. No one has BCRs or can afford them. They’re a cool marketing tool for select big organizations that provide them some sense of compliance assurance and legal backstop.
No one who participated with the Safe Harbor that I spoke to heard even an inquiry from a single regulator in the time where there was no adequacy agreement between the EU and U.S.
Rather, people were told to bide their time, keep doing the “good work” they were doing, and to wait for further instructions. Those instructions came with Privacy Shield, and now we’ve got 5,000 organizations participating happily. Yay!
Except then, six months later, in January of 2017, the Department of Commerce says, “hey guys, GOOD NEWS, we now have an agreement on a U.S.-Swiss Privacy Shield!” Because, like, all of those personal data transfers had just been not happening for yet another six months? Of course not. People just continued doing what they were doing, knowing that no government entity in this day and age is going to ask all personal data transfer across borders to stop.
Especially not to an international banking hub like Switzerland. It’s absurd on its face. And yet, theoretically, it was all being done illegally.
So, now we find ourselves in a position where after Brexit the U.K. will have a GDPR-like law, which prohibits transfers to non-adequate countries, and if no adequacy agreement is in place with the United States, those transfers could be deemed largely illegal. Further, transfers from the EU to the U.K. will be illegal, barring SCCs or BCRs, and the EU’s portion of no-deal means “we’ll consider adequacy on our time.”
Will this be a BIG DEAL?
Well, I’m sure the law firms advising your companies will think it’s a very big deal, indeed. You should hire them to do your BCRs RIGHT NOW. It’ll only cost about a million bucks in billable hours. Don’t worry about it.
But, well, no it won’t be a big deal. It just won’t. The ICO has already said it will honor all adequacy decisions the EU Commission has previously ironed out. Which includes the Privacy Shield. So that’s sorted. If you’re doing Shield now, nothing in regard to the U.K. will change at all post-Brexit.
My guess, for clarity’s sake, is that the U.S. Department of Commerce will relatively quickly iron out and announce a U.K.-specific Shield deal (it’ll be mostly cut and paste, and will cost you another $500 or something to join another version of Shield) and the EU Commission will iron out a Shield-esque deal with the U.K. (if Brexit ever actually happens), with lots of very important principles, and everything will be fine, just like it is now.
Right? All of this international data transfer stuff is fine and totally above board and everyone really pays attention to those principles, right? That must be the case, since I still have not heard of a single complaint being adjudicated by the mechanisms put in place by the Shield program.
Of course it is and of course they do. Good chat.