Operation Yellowhammer – What the leaked Government Brexit planning tells us about UK – EU Data Protection.
On Sunday the 18th of August 2019 the “baseline worst case scenario” UK government planning document compiled by civil servants in Whitehall and used for government Brexit planning was published in full by The Sunday Times newspaper. The government was quick to state that these were indeed worst-case scenario plans and that subsequent “no deal” preparatory measures taken since the new Prime Minister came into office in July meant that the document was already out of date. The document outlines key planning assumptions across multiple different ways in which Brexit will impact the UK including delays at channel ports, disruptions to the supply of pharmaceuticals, food and water, law and order, financial services and energy.
Data protection is also referred to. The document opens by stating that the UK reverts fully to “third county” status. The significance of this is that the UK will fall behind countries such as the Ukraine who have signed deals with the European Union (EU) to allow for basic cooperation in areas such as visa free travel. Under a “no deal” scenario the UK would revert to a status of having no such agreed mechanisms with the EU. However, we must give the proviso that some management agreements have been made to ensure the operation of things such as the channel tunnel and the safe operation of air travel post 31st of October.
The implication for data protection as a “third country” is that there will be no mechanism to allow for the free flow of personal data from the EU to the UK. Indeed, the Yellowhammer document states that with regards to data “the EU will not have made a data decision with regard to the UK before exit. This will disrupt the follow of personal data from the EU, where an alternative legal basis for transfer is not in place. In the event of a no deal exit, an adequacy assessment could take years”.
The key thing here is the adequacy assessment. As a member state of the EU you are automatically part of the digital single market and data can pass from the EU to the UK and vice versa unhindered. Counties outside of the EU are subject to an “adequacy assessment” whereby a metaphorical slide rule is applied to assess a country’s data protection and privacy standards to discern whether the EU reviews them as being adequate to allow for the reciprocal exchange of personal data. The list of countries benefiting from an adequacy decision is rather small and excludes most of the world’s major economies including China, India and the United States (where the EU-US Privacy Shield operates as a poor substitute). The assertion in Yellowhammer that an assessment “could take years” is correct if you look at the case of New Zealand where it took 6 years for an adequacy decision to be made. However, Japan recently benefited from an adequacy decision in a much shorter time frame as part of the recently agreed EU-Japan trade deal.
Given that GDPR has been adopted in the UK through the Data Protection Act 2018 you may have thought that an adequacy decision could be made comparatively speedily, in particular bearing in mind the leading role taken by the UK Information Commissioners Office (ICO) in proposing multi- million pound fines for British Airways and Marriott Hotels for breaches of GDPR. However, the UK’s wide-reaching state security surveillance powers as enacted in the Investigatory Powers Act 2016 mean that the UK may fail an initial adequacy assessment. Ironically, it is possible to get away with such inconsistencies as a member state but they are highlighted and could be become a problem during the exhaustive process of an adequacy assessment.
The Sunday Times outlines a possible “data cliff edge” that could occur due to the lack of an adequacy decision which could impact bank transfers and ecommerce. While the UK government has said it will recognise the EU as an adequate recipient of UK data the EU has not reciprocated. It also states that the European Commission has said it will not consider data protection as part of a trade deal because it is viewed as a fundamental rights issue. The Japan trade deal would appear to contradict this assertion.
However the wording of the Sunday Times commentary appears to suggest that this whole problem is under the exclusive control of the UK government and European Commission when the reality is that businesses can do a great deal to ensure that they continue to successfully operate regardless of what may happen in October. For organisations trading with third parties in the European Union they simply need to ensure that their contracts are fully up to date and contain Model Contract Clauses (MCC’s) covering the international transfer and processing of personal data. While this can be a laborious process, data protection officers at UK organisations will have had to carry out a similar exercise in advance of the introduction of GDPR in 2018 so it is a matter of returning to those recently reviewed third party contracts and ensuring that the requisite MCC text is inserted.
Meanwhile for organisations with multiple offices in both the UK and EU they should be considering incorporating Binding Corporate Rules (BCR’s) and getting these signed off by a data protection regulator to ensure the continuing free flow of personal data across a corporation or group of companies.
It must be empathised that businesses trading in countries outside of the EU should be following these practices anyway so it should not unduly onerous to apply the same processes when undertaking business in the EU. In reality we should be facing less of a “cliff edge” and more of a speed bump with regards to the free flowing nature of personal data in the event of a “no deal” exit for the EU and it is to be hoped that businesses large and small will benefit from cogent advice from the UK government in order to work with their customers and suppliers and ensure that this is the case.
For the guidance from the Law Society of England and Wales for Law firms and what they should be doing in the event of a no deal Brexit please click here.
Digital Law’s Managing Director, Peter Wright, is presenting a Law Society Webinar on International Data transfers on the 29th of August 2019. This webinar will refer to a lot of the issues discussed in this blog post. To find out more information or to book your place on the webinar click here.