Personal data transfers in general, and in the financial sector in particular, are one of the many gaps in the Brexit trade and cooperation agreement (TCA). There is a transition period, but once it lapses later this year financial institutions may no longer be allowed to transfer client data between the UK and the EU.
If you enjoyed the endless succession of deadlines that came and went with the UK leaving the EU, you’re going to be thrilled with the process which puts flesh on the skinny trade and cooperation agreement (TCA) agreed on Christmas Eve. For example on data transfers, GDPR rules will remain in force until 30 April, “which period shall be extended by two further months, unless one of the parties objects” notes the guidance from Luxembourg’s National Commission for Data Protection (CNPD). So if your company has internal group data flows across the Channel, or you use a UK service provider, each relationship needs analysing with care.
Is the UK essentially equivalent?
A more permanent deal will be required thereafter. If the EU decides the UK’s personal data protection regime is ‘essentially equivalent’ it could allow existing relationships to continue. However, if this ‘adequacy decision’ goes against the UK then ‘rules applicable on international data transfers will come into force’, says the CNPD. In other words, there will be no explicit data transfer arrangements, or potentially the EU and UK will have to create a new framework.
‘Not many countries benefit from an adequacy decision from the European Commission,’ said Julien Leroy, Senior Legal Adviser with the Luxembourg Bankers Association (ABBL). As for how the equivalence talks are progressing: ‘we don’t have any visibility on this other than being told the European Commission is working hard on reviewing standards,’ he said. Given recent lack of willingness to strike deals by the UK, the smart money would assume a ‘no-deal data Brexit’.
So financial services firms need to conduct a review of their data flows to ensure they are able to cope with a no-deal data Brexit, or risk the harsh penalties set out in the GDPR. Leroy’s sense is that most Luxembourg banks who have acted have not taken any chances, and have either created separate data silos or have thorough standard contractual clauses in place.
Contractual solution
So what would this mean for cross-English Channel data exporters and organisations in the EU holding legacy data from the UK? If there’s no equivalence decision, data flows must cease and relevant data repatriated to the UK. Alternatively measures deemed to be ‘appropriate guarantees’ as referred to in Article 46 of the GDPR could provide sufficient protection for personal data. Leroy says the main solution consists of creating ‘additional safeguards – standard contractual clauses – to ensure that the transfer is secured and data is being protected in the same way as under GDPR.’
However, this latter route is potentially fraught, as highlighted by the 16 July ‘Schrems II’ decision by the Court of Justice of the European Union which invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework. More than 5,000 U.S. companies had built their trans-Atlantic data trade relationships on this basis. While the decision upholds the validity of standard contractual clauses, additional case-by-case guarantees are required.
Another alternative is that the EU and UK agree a bespoke arrangement, such as the rules applicable to European Economic Area countries. ‘The TCA has only a few paragraphs dealing with data protection, and it’s very high level, with nothing of substance,’ Leroy notes. So in what context might these talks take place?
Unelected London and Brussels bureaucrats
The key to future EU-UK relationships appear to lie in the highly complex institutional framework set out in the TCA. This establishes no fewer than 19 specialised committees featuring EU and UK civil servants, but where data protection (or financial services) will fit into these remains to be seen. It could be the Trade Specialised Committee on Services, Investment and Digital Trade, or the Trade Specialised Committee on Regulatory Cooperation. These will report to a Trade Partnership Committee which itself will ultimately be responsible to the Partnership Council featuring politicians.
Exactly who will sit on these bodies, when and where they will meet, how they will make decisions, how these decisions will be enacted, and how disputes will be resolved is still to be arranged. A former UK civil servant with Brussels experience told the website Politico it will resemble the architecture of the European Free Trade Association (EFTA) council, the intergovernmental organisation for the relationships with Iceland, Liechtenstein, Norway and Switzerland. The difference being it will be ‘far less transparent’. Whether the UK and EU parliaments will have oversight is also not known. ‘How do you lobby this structure?’ asked Institute for Government associate director Maddy Thimont Jack.
It’s somewhat ironic that much of the anti-EU narrative in the UK was driven by the idea of decisions being taken by ‘unelected Brussels bureaucrats’, only for this fictional view to be enacted for real post-Brexit. The UK government will hope being politically nimble could be decisive in this committee work. EU member states will rely on the persuasive power which flows from being more than six times larger than the UK.