It’s all just data over the bridge

09 March 2021

As 2020 came to a close, the United Kingdom (UK) and the European Union (EU) thrashed out a deal – as part of the long-drawn-out Brexit negotiations – to facilitate the movement and security of data between the exiting country and the 27-member bloc. Well, they agreed to a deal under which the EU will continue to treat the UK as an adequate jurisdiction for up to six months pending any full adequacy finding for the UK.

This means that, for now, personal data can continue to flow from the EU to the UK without the need for millions of contracts and impact assessments. Does that mean that there is no change on the privacy front post-Brexit? Not quite.

There was some positive news last weekend when the European Commission (EC) – yes, the one the UK had a public spat with over the Covid-19 vaccine roll out - confirmed it had kick-started a process that will enable the personal data of EU citizens to be sent freely to these shores. All being well, it will save businesses on both sides of la Manche billions of pounds and euros in the process. However, it’s too early to start popping the champagne corks just yet as there is still much to be done and there’s no guarantee what will happen when the honeymoon period is over.

“The interim period is four months but will automatically be extended for a further two months if an agreement is not met,” says Neil Thacker, DPO and CISO for security specialist Netskope.  After the full six months, there are two options: the EU will either adopt an adequacy decision for the UK, or the UK will amend the UK GDPR or UK Data Protection Act 2018 without the consent of the EU, which will automatically end the temporary agreement.”

Upon the expiry of the interim period, the UK will then default to a ‘third country’ under the GDPR with all its consequences. Reinout Bautz, general counsel at European outbound email security specialist, Zivver, says additional measures need to be invoked. “For example, the existing data processing agreements with external parties will no longer be sufficient and another ‘standard’ agreement with all such controllers / processors / sub-processors would need to be executed,” he continues.

Zivver boasts a list of clients consisting of UK mortgage lender Paratus AMC, Douglas Macmillan Hospice, Fetal Medicine and the Dutch Judicial System. Zivver says companies in these sectors are specifically interested in its solution to help them secure outbound email communications and ensure compliance with evolving data protection regulations.

Bautz adds that when a company is part of a group of companies in Europe, the internal transfer of personal data also needs to be accommodated. “A party may consider for this preparing Binding Corporate Rules, as described in the GDPR,” he continues. “However, this is a very burdensome and time-consuming exercise and has to be approved by a leading supervisory body within the EU. Given the current workload of all such supervisory bodies, it is unlikely that this could be arranged quickly.”

Indeed, Heimdal Security, a Danish cybersecurity specialist headquartered in Copenhagen, is taking the bold move to build a strong presence in the UK despite Brexit. What’s more, Ruth Schofield, the firm’s UK country manager, says our enterprises should “absolutely” be worried about security when the data adequacy bridge deal comes to an end.

“We firmly do believe that when a deal eventually expires, even after a possible extension, this will have a strong impact on the flow of data between the UK and the EU, especially where data is put ‘at rest’, warns Schofield. “The problem applies to both the EU and the UK. The UK has a very strong spending on cybersecurity posture and better than EU average, but the EU has a very firm belief in enforcing its GDPR principles. If those principles are compromised will be tough to accept for EU politicians and hence a likely battle between the EU and the UK is on the horizon, as to where and how data is put at rest.”

Meanwhile, Sophie Chase-Borthwick, VP of data ethics and privacy at end-to-end managed data services provider, Calligo, warns that “without trying to cause alarm, there is no sign yet that adequacy will be awarded to the UK”, which means we don’t know exactly how things will look like at the end of the bridge period. What’s more, she adds that awarding adequacy takes time – to date, the quickest it has been awarded was in the case of Argentina and that took some 18 months to happen.

That said, it appears the UK might not have an uphill task to get what it needs.

“In some ways, the UK is well placed to be awarded adequacy,” Chase-Borthwick argues. “The UK’s Data Protection Act 2018 was arguably written as an implementing act of GDPR aligning with EU regulations. However, there are some misalignments with the UK’s Investigative Powers Act 2016, and the Data Protection Act and the EU’s Charter of Fundamental Rights. In addition, the UK’s close security relationship with Australia may also come under the spotlight. Australia was itself refused adequacy by the EU.”

She adds that “with that in mind”, even an ex-EU member cannot take achieving adequacy as a mere formality. If it’s not confirmed by June 30, 2021, or there is no further extension, data transfers will default to being at risk of being instantly prohibited. “Any business with operations in the UK that processes EU personal data will therefore need to adapt its own data strategies to provide the necessary protections that the EU requires and that the UK’s national legislation would technically have been deemed to not require,” says Chase-Borthwick.

With no definite measures in place, UK enterprises will be venturing into the unknown – does that mean they  will be more exposed to hacking?

“Yes, but as UK businesses in many cases already have a solid spend on cybersecurity, we firmly believe that the only change required is towards more innovative and ground-breaking solutions, where the mobility of the data and the user is taken into consideration,” says Schofield. “We see the UK companies spending is still being more around reactive security posture spending, such as antivirus and detection, whereas EU companies are leaning more towards mitigating excessive user rights or other problems before they escalate, and by auditing threats before they are allowed to enter the company domain.”

So, if things are likely to get worse before they get better, what’s the thinking behind opening a UK presence at what is arguably the worst time to do so?

“The UK is a critical region for Heimdal’s global growth strategy,” Schofield continues. “We envisage the challenges of data security/data protection heightening further with post Brexit panic potentially exacerbating those challenges. Equally UK industry will benefit hugely from Heimdal’s mitigative approach to securing their data and fundamentally how we provision this is in full accordance with GDPR.”

Now, it’s time to look at the options open to enterprises – in other words, how can they protect themselves?

“There are some measures that companies ought to be taking urgently simply because the UK has left the EU, and regardless of any adequacy decision,” says Chase-Borthwick. “These are: whether they need to update privacy notices, whether they need to add a new lead supervisory authority or amend the current one. For a business that targets the EU market, they might need to appoint an EU Representative within the EEA to act as a local point of contact for individuals and EEA data protection authorities.”

That’s not all. Chase-Borthwick says firms must also consider what mechanisms they use to legally transfer personal data between the UK, EEA countries and non-EEA countries, and whether these are suitable in light of the Schrems II decision.

“In addition, if adequacy is not granted, businesses then have further obligations,” she continues. “If a business transfers personal data from EEA into the UK it must ensure appropriate safeguards are in place, as per Article 46 of the GDPR. These include: standard contractual clauses, binding corporate rules (rarely used and require supervisory authority approval) derogations and specific data subject consent. Plus, if they are transferring personal data that is subject to the GDPR from outside the EEA into the UK (i.e. non-EEA to non-EEA) technically, they may only rely on consent or binding corporate rules. However, it is generally accepted that where these are not feasible, standard contractual clauses are unlikely to be challenged.”

Scaremongering stories will abound, but Bautz says that while it is not “it is not anticipated that the agreement will expire without a further arrangement in place, an extension (or a superseding adequacy decision) is the most likely outcome”.

Thacker is of a similar opinion and warns that for the benefit of citizens and businesses, both the EU and UK will want to come to an agreement within the six months. “As we have seen during previous negotiations, delays and uncertainty directly impact businesses,” he continues. “Enterprises should already have a good understanding of data flows from the EU to the UK and vice-versa as well as data flows across the globe. This is currently a legal requirement under General Data Protection Regulation (GDPR) whereby organisations must have an accurate and up-to-date Record of Processing Activities (RoPA - see Article 30). This RoPA should include details of where the data resides and what data transfer agreement is in place to allow for the data to be transferred.”

Thacker further argues that “it is imperative that organisations keep this record up-to-date and include all details of data transfers”, including any cloud service providers that are used.

“As the average enterprise organisation uses over 1000+ cloud services, it becomes a fundamental requirement that they continually assess any new cloud services that are introduced,” he adds. “For all UK-EU and EU-UK transfers, organisations should be prepared to include Standard Contractual Clauses (SCCs) as an alternative to an adequacy agreement.”

Businesses in all sectors must take notice of this agreement, says Thacker, as any industry that relies on the free flow of data between EU-UK and vice versa could be impacted. Bautz says there are some sectors that might be more worried than others. “Those

that process a lot of personal data, including - but not limited to - financial services, legal, healthcare and other parts of the public sector,” he says. “As for such sectors, potentially many data processing agreements and internal data transfer arrangements are in place and have to be reviewed.”

The movement of data is only going to get faster, so businesses will be hoping a decision will be made just as quickly.