Firms face scramble for post-Brexit data transfer deals

brexit 2Brussels data protection chiefs have issued yet another shot across the bows to UK-based companies which transfer data to and from the EU, warning them that existing agreements that have been signed off by the Information Commissioner’s Office will be invalid in just over 150 days.

The European Data Protection Board has urged firms which use so-called “binding corporate rules” (BCRs) that they must get approval from other EU data protection regulators as, from December 31, the ICO “will no longer qualify as a competent supervisory authority”. However, time is not on their side – it can take between six and nine months to get BCRs approved.

According to the European Commission website, brand owners which use BCRs approved by the UK regulator currently include Astra Zeneca, Accenture, American Express, BP, BT, Citigroup, Ernst & Young, GlaxoSmithKline, Hyatt, IBM, IMS, Motorola and Verizon Communications. Data centre giant Equinix has reportedly already decided to switch to the Dutch regulator.

The EDPB stated: “As the ICO will no longer qualify as a competent supervisory authority under GDPR at the end of the transition period, the approval decisions of the ICO taken under GDPR will no longer have legal effect in the European Economic Community.

“In addition, the content of the BCRs in question may need to be amended before the transition period ends, as these BCRs generally contain references to the UK legal order.

“[Companies] need to put in place all organisational arrangements to identify a new supervisory authority; the change will have to take place before the end of the Brexit transition period.”

The move comes just a fortnight after the EU Court of Justice ruled that Privacy Shield – the transatlantic data transfer pact between Brussels and the US – was invalid. At the same time, it ruled that standard contractual clauses remain valid but must be assessed on a case-by-case basis, with the data protection authority having the final say.

However, further analysis of the ECJ judgment has thrown up new threats, according to legal firm Mishcon de Reya.

In a blogpost, the company states: “Those wishing to transfer personal data out of the EU, by means of standard contractual clauses , should, at the very least, undertake a case-by-case and sufficiently detailed assessment of the transfer, and of the level of protection in the recipient country, and adopt supplementary, extra-contractual, measures and safeguards to ensure compliance with a standard of protection of personal data essentially equivalent to that in the EU.

“Failure to do so puts the parties at risk of dispute with each other; at risk of regulatory action including, but not limited to, a stopping of the transfer; and at risk of complaints and claims by data subjects.

“We emphasise the third of these: in addition to the regulatory risk, [those who] transfer data out of the EU will need to consider their risk profile in respect of private damages claims for failure to comply with the protective provisions of GDPR – there will be many data subjects wishing to pursue a damages claim.”

Related stories
US tech giants rocked as Privacy Shield gets the chop
Fears ease over Brexit data deals…thanks to Facebook
CBI: No deal Brexit will rock data industry from day one
Industry calls for Brexit ‘Plan B’ as budget growth stalls
Japan seals EU data transfer deal as UK firms await fate
Industry fears mount over prospect of no-deal Brexit
Industry urged to back Brexit deal to secure data flows
DMA gives cautious backing to draft Brexit data deal
DMA issues dire warning over post-Brexit data transfers
Firms urged to set up their own EU data transfer deals