Cross Border Data & Brexit

The Daily Mirror commented on the impending end of the Brexit transition period and SME compliance with any new data protection rules. They have a couple of Govt. officials and ministers saying that people had better get ready. In my linkedin post on the topic, I suggest it might be a  bit late and we still have a moving target because we don’t know if there’s going to be a post transition deal; one is necessary to establish adequacy equivalence while our application for adequacy is considered.

The Mirror story was hooked onto an ICO statement, whose advice is most recently posted here, we should note that the advice does not apply to the US nor Switzerland. Basically they advise creating data exchange contracts with your correspondents, using “standard contractual clauses”. Unfortunately, due to the ruling from the ECJ known as “Schrems II”, contracts will be needed for each correspondent. I am surprised that no-one is offering an aggregator service.

The Schrems II ruling places a big question mark over the US Privacy Shield and thus the Adequacy compliance of the US owned cloud & SAAS providers. I found this summary at Field Fisher’s site.

This ruling declared invalid reliance on the EU-US Privacy Shield as a lawful mechanism for exporting data to the US, due to concerns about surveillance by US state and law enforcement agencies (and with the subsequent effect that the Swiss-US Privacy Shield has also suffered a similar fate in the past day).  It upheld the EU Standard Contractual Clauses (“SCCs”) as a lawful mechanism for data exports, but subject to an assessment of the recipient territory’s laws and the potential need to put in place “supplementary measures” to ensure that exported EU data remains protected to a standard that is “essentially equivalent” with EU law.

This is going to be very difficult and the UK exceptions and law enforcement powers may make Adequacy hard to achieve. Neither the Commission, nor the US Govt want to stop the flows of personal data but the law’s the law and many of the EU’s citizen’s are the children of fascist and stalinist societies and consider privacy and the scale enabled by automation to be real threats to liberty.

ooOOOoo

The ICO hosts its advice at this page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.