Adequate = Excellent
By Steve Sullivan, Head of Regulatory Compliance
When it comes to Data Adequacy, it’s been a slow process for the UK to gain full agreement from all the EU institutions and although we cannot be 100% sure, it’s now looking almost certain that the EU will deem the UK’s data protection regime ‘adequate’. This will then allow data transfers to continue between the UK and EU as it does at present. For further detail from ICO click here
The lawyers’ lament
An ‘adequacy’ decision is one of the most important rulings needed to ensure uninterrupted trade in data and services for the UK with the EU, post-Brexit. Without this decision, thousands of individual contractual arrangements would have to be created to cover companies needing to transfer personal data between the UK and EU and vice versa. As we’ve explained before, aside from all the business process disruption that would be caused if the UK’s data protection regime was to be ruled inadequate, there would be a massive, direct legal cost – as covered in our previous article. The New Economics Forum estimated in a recent report that the legal work necessary without an adequacy decision would have cost British businesses between £1bn and £1.6bn. Listen carefully and you can hear the quiet sobbing of contract lawyers missing out on all that work. Tragic!
So, the adequacy decision is great news, but here’s something else to worry about.
The Privacy Shield was an arrangement designed to provide a mechanism for personal data to compliantly flow between companies in the US and the EU. However, the framework collapsed last summer after being ruled invalid by the European Court of Justice in the Schrems II case – for details click here
You might not directly deal in the personal data of individuals in the US, but it would be a rarity for an organisation not to use any US based technology or solutions that make use of data centres in the US. If so, then you need to address this challenge. Remember, the legal definitions of data processing are extremely broad, so having static data in storage in the US or even being visible on an ad hoc basis to a support engineer working on a case both count as ‘processing’.
There are many organisations that still haven’t managed to create alternative arrangements to transfer personal data across the Atlantic. The EU is working on a replacement for the Privacy Shield, but there is no guarantee this can be agreed any time soon. The data protection regulators, like the Information Commissioner’s Office in the UK, aren’t rushing to penalise companies still transferring data under pre-existing arrangements. But those legacy arrangements aren’t compliant and your business partners, clients and risk management colleagues are all likely to start looking for businesses to put a solution in place.
More work for you and the lawyers!
To create a solution you will probably be reliant on using Standard Contractual Clauses (SCCs) as the basis for transferring data legally. SCC’s are a type of agreed and boilerplated legal solution that provides an outline framework to ensure that both parties are handling data compliantly, onto which the specific business and process details are added. Unfortunately, the SCCs are in the process of being amended and updated – for further information click here
There are draft new versions you can make use of, but you might find that your commercial law firm will soon need to change them again if the final version is different. So, more cost and more uncertainty, but good news for those work-deprived contract lawyers.