Saturday 25 January 2020

Exporting personal data I: introduction (and a small Brexit niggle)


Well, I'm back.

I hope to carry on blogging about the law from the slightly different perspective that I have adopted in the past. In particular, I want to try talking about some difficult questions that I come across while working with clients and which I can't help thinking about in my spare time. Thank you for helping me scratch that itch.

This post is just an introduction. If you are familiar with how the GDPR works, then you should skip to the bit about Brexit.

The export of personal data

I want to start by talking about the General Data Protection Regulation, or GDPR as it is affectionately known, which will have been in force for two years in May. In particular, I want to talk about the regime create by the GDPR for the international transfer of data. From a technical point of view, transferring data around the world is, thanks to the Internet, not only straightforward but often invisible. However, from a legal perspective it is not so simple.

The reason why the GDPR tries to control international transfers of data is simple to see. The GDPR's aim is to create a region of really strong protection for personal data in the European Union and the European Economic Area. If someone processing personal data could simply transfer it outside that region and do whatever they liked with it, it would be really easy to get around the GDPR. The protection it gives would be much less useful.

How exports are controlled

The GDPR divides the world into two parts: a "safe" part, which at the moment contains the EU and the EEA; and a potentially wild and dangerous part consisting of what are called "third countries". By the way, there is (as far as I have been able to discover) no formal definition of "third country" as you might expect. It seems to be understood to mean anywhere that isn't a member state of the EU or the EEA, but maybe other countries (eg the UK after Brexit) could escape being "third countries" in the same way as the EEA members have done.

By default, moving data from the safe part of the world to a third country is forbidden, unless one of a (long) list of conditions is met. I plan to look through some of these conditions over this blog series, but in a moment, I will give a brief summary of two that are particularly significant.

Adequacy

The European Commission can declare that a country has "adequate" protection. Even though the country is a mere third country, it has done enough to live up to the high standards set by Europeans and data may be exported there.

This is a sort of data imperialism, perhaps with the hope that European data protection law will dominate the world. Given the steadily increasing list of countries declared "adequate", this may be working.

But, a word of caution about adequacy. Adequacy decisions can be made that are limited to certain kinds of transfer. In other words, just because a country is in the list, does not mean that you can just export data there without further thought. A few countries, for example the United States and Japan have adequacy decisions that are limited in various ways.

For example, the United States clearly does not think that it has to play along with the EU's data protection rules but has set up a system known as the "Privacy Shield" which allows companies to opt into a lightweight version of the GDPR. The USA only counts as having "adequate" protection for transfer to companies who are members of the Privacy Shield. I will have quite a bit to say about the Privacy Shield in a later blog.

Standard Contractual Clauses

A very popular option is for the export and importer to sign an agreement which contains a set of standard clauses approved by the European Commission (or in theory by another regulator). These are, in essence, a promise by the importer that they will not take advantage of the fact that the data is now outside the "safe" part of the world to do evil and/or unspeakable things to it and that they will in all ways be good. The standard clauses are meant to be enforceable by individuals whose personal data is being processed and they contain their own rules controlling further export of the data.

At first sight this system seems very flexible. Most transfer of data will either be internal to a company (in which case each part can sign the standard clauses) or be made subject to some terms or conditions, even if they are standard terms on a website. Including some standard material cut and pasted from the European Commission or elsewhere should be easy enough.

In practice there are quite a few difficulties with the standard clauses, which I intend to look at in some detail later in this series.

What about Brexit?

Unless something dramatic happens between now and then (given past history this is not entirely impossible), the effect of the EU-UK withdrawal agreement and the European Union (Withdrawal Agreement) Act 2020 is that the UK will leave the EU next week on the 31 January 2020.

Article 127 of the withdrawal agreement and section 1 of the Act keep EU law going in the UK for the time being during what is known as the "implementation period" until 31 December 2020 at 11.00pm GMT, though of course that data could end up being renegotiated. So at first sight it would appear that nothing will change for a while yet.

But I still have a concern. From the many examples I have seen, many agreements for sharing, selling or otherwise transferring personal data have provisions in them saying something like "... shall not transfer any personal data outside the European Economic Area..." or wording like that. The problem here is that, despite all the magic words about the implementation period, the UK will not as a matter of fact be in the European Economic Area and so any transfer within or to the UK may well end up being in breach of contract.

I have, since Brexit became a clear possibility, tried to press different wording on clients and their contracting partners. Typically I swap in "third country" for "outside the European Economic Area". It seems to me that the effect of the withdrawal agreement will be that the UK is not a "third country" until at least the end of the implementation period. The alternative would be to include a section attempting to explore all the possibilities along the lines of "If the UK is a member of ...." which seems complicated and fragile.

Does any of this matter? English courts are quite good at preventing over-literal readings of a contract. It's quite possible that a court would be generous and decide that the parties didn't intend that transfer to a country subject to EU law would be prohibited. But I can see the counter-argument quite easily. Not least that the UK is now not nearly as "safe" in GDPR terms as the EU was because in less than a year it could leave the whole protection framework behind. 

That is why I have called this a "niggle" and not a problem. Even so, it is much better to avoid having courts sort your contracts out for you. In my experience, ambiguities make it easier for an aggrieved party to get legal proceedings off the ground, even if they ultimately lose, or to refuse to comply with a contract without being taken to court. It is something that is worth correcting if you can.

No comments: