The recently published National Data Strategy ("NDS") promises a transformation of the UK's data practices. Even though GDPR will be transposed in its entirety into UK legislation, there is an expectation that this could be updated in line with the NDS.
The timing of the NDS was not great
At the moment, the European Commission is examining whether the UK’s data laws will be in line with the EU’s general data protection regulation (GDPR) and law enforcement directive after 1 January 2021 and decide to grant the UK adequacy. Adequacy would allow the movement of data vital to the law enforcement agencies but also the banking, health, entertainment, insurance and tech sectors.
Considering that Japan (among other countries) has been in the queue for adequacy for years and that the regulations around the world are all moving towards GDPR standards, the timing for the NDS is, to say the least, unfortunate.
Why the UK could not get adequacy and why SCCs alone may not be enough to fix it
Earlier this month, Schrems II European Court of Justice ruling invalidated Privacy Shield. The Court also specified putting in place EU Standard Contractual Clauses would not be sufficient to transfer data to an importer in a non-adequate country. An assessment of the level of protection in the recipient country must have taken place. Such a risk assessment must take into consideration both the contractual clauses agreed between the data exporter established in the EU and the recipient of the transfer established in the third country concerned and, as regards any access by the
public authorities of that third country to the data transferred, the relevant aspects of the legal system of that third country
The EU authorities have expressed discontent with the UK's declarations on what the future rules governing access to data by UK national security authorities. This may not only mean that the UK could not get adequacy, but also that that transfers to the UK may be restricted in certain cases.
However, in our view, in the worst case scenario companies may need to take similar steps to what is currently recommended for transfers to the US.
Our advice: Hope for the best but prepare for the worst
In either scenario, it is advisable to:
1. Know your people: Make sure you know who is in the processing chain (yes, that means finding out who all the sub-processors of the sub-processors are) and their disclosure legal requirements and policies. Surveillance laws are (in many countries) not a blank cheque. In most cases there are grey areas and judgement calls that must be made by the company. Understand what those requirements are and what the players in the chain criteria are to make judgement calls when it comes to disclosure.
2. Have a plan: Make sure you have a clear internal policy on disclosure.
3. Be transparent: Remind your users that in certain cases you may be required to disclose and that you have clear criteria to do this (this is not always a bad thing, you may need to disclose data to find a missing person. If the data you disclosed helps the police find someone who may have ended up as a dead body in a ditch it is good karma and positive PR).
4. Remember - Pay peanuts and you'll get monkeys: Sometimes you have to make a judgement call and not send data to a jurisdiction that is not safe enough. It's good for your users, which means it's good for your clients and therefore good for your business. Cheaper is not always better. Invest in quality, after all privacy is all about trust.
Brussels is expected to seek assurances that the UK will recognise the implications of the ruling on its own treatment of European citizens’ personal information. Legal challenges to an adequacy decision would be expected in Brussels should the British government fail to offer failsafe safeguards, EU sources said.