Data protection, Policy, Finance & law

Can UK organisations still hold personal data abroad?

Paul Ticher, author of Key Guides: Data Protection for voluntary organisations takes us through the future of data protection regulation for the UK.

Adequacy: the debate moves on

The withdrawal agreement between the UK and EU that took effect on 1st January 2021 provided for a transition period of at least four and up to six months, during which transfers of personal data between the UK and EU could continue as before.

The agreement envisaged that during that period the EU would make an ‘adequacy’ decision on the UK’s data protection legislation, so that personal data could continue to flow smoothly in both directions.  (The UK had already deemed the EU – and the other countries approved by the EU – to be ‘adequate’.)

Things seemed to be going to plan in mid-February when reports appeared that the EU was about to make its decision, and a draft decision was published, which noted that the UK data protection legislation is based on the EU GDPR.  So far, so good.

The process requires an opinion from the European Data Protection Board (EDPB) and approval from a committee composed of representatives of the EU Member States.

However, the statement contains a warning, saying: “… it is essential that the adequacy findings are future proof now that the UK will no longer be bound by EU privacy rules. Therefore, [the decision] would be valid for a first period of four years. After four years, it would be possible to renew the adequacy finding if the level of protection in the UK would continue to be adequate.”

Relief all round then?  Think again!

The UK government welcomed the EU announcement, but data protection practitioners were not confident that this would be the end of the story, foreseeing the possibility of a fraught future relationship if the UK drifts away from the EU approach.

So where does this leave decisions about transfers abroad and, in particular, the use of cloud computing?  Here is a summary of where I think we are.

The GDPR approach has always been that when personal data has been given a high degree of protection – such as that offered by the EU – it should not lose that protection when it is transferred to other jurisdictions.  Broadly, there are three alternative approaches:

  1. If the recipient jurisdiction has sufficiently similar data protection legislation (as confirmed by an EU ‘adequacy’ decision) the transfer is no more restricted than in would be within the EU.
  2. In most other cases there are a range of specific arrangements that may be made, generally through contracts between the sender and recipient that incorporate EU-approved Standard Contractual Clauses.
  3. Where the transfer is low volume and/or frequency and has been assessed as low risk, either by the sender according to criteria set out in GDPR, or by the data subject in giving consent, no additional precautions are required.

The situation with the USA has always been complicated, as it has no national data protection legislation, but is the base for a large number of IT providers whose systems may be used to hold personal data.  The most recent development has been that the European Court of Justice (ECJ) has said, in effect, that under US domestic law no contractual or formal arrangement (such as Privacy Shield or its predecessor Safe Harbor) can over-ride the US government’s ability to access personal data.

Until the UK left the EU one of the most common solutions to this dilemma was to use the services of US-based companies that undertook to hold EU personal data only on servers within the EU.  Ireland has been one of the key locations for this.

On leaving the EU the UK made an ‘adequacy’ decision for the EU, which means that UK organisations can continue to store their data safely within the EU, provided the EU makes an equivalent adequacy decision in respect of the UK.  (Otherwise you could send your data to the EU but not get it back when you needed it.)  See above for recent indications that a positive decision is imminent.

A positive adequacy decision by the EU would mean that using EU-based servers would continue to be a safe option, and would avoid any complications with the USA, but only as long as the EU doesn’t change its mind.  There are no suggestions that this is under active consideration, but one possible scenario is that the UK might unilaterally override the ECJ decision and recognise Privacy Shield as making the USA a safe destination.  Were that to happen, the EU may well revoke its adequacy decision.

This leaves UK organisations with three possible options for storing personal data:

  • Hold it exclusively in the UK. This guarantees to avoid unwelcome data protection issues, but may restrict the services that are available.
  • Hold it within the EU. This is currently a safe option – assuming an adequacy decision is made without delay – but may become problematic if the UK and EU data protection regimes diverge and the EU’s adequacy decision is revoked.
  • Hold it in the USA, under Privacy Shield and Standard Contractual Clauses, and make the assumption that the UK government will ignore the concerns of the ECJ.

All this means that it is probably not the best time to be making any long-term decisions.  Whatever you do, there may be a case for putting something into your risk register and keeping things under review.

A fly in the ointment

For some UK organisations there is an additional fly in the ointment.  Adequacy decision or no, UK organisations that actively offer goods or services to EU residents could well need to appoint an EU representative to act as a local point of contact for EU data subjects who may wish to make a complaint or report non-compliance.

The EU representative is not just a post-box.  They have to take full responsibility for sorting out any problems (and, for that matter, paying any fines).

If you think this could apply to your organisation, it would be wise to take advice.

 

About Paul Ticher

Paul is author of Key Guides: Data Protection for voluntary organisations published January 2021.

He is an independent specialist, with over 30 years’ experience of data protection in the voluntary sector. However, he is not a lawyer. It may not be a complete or accurate statement of the law, and it is not intended to be legal advice. It is also based on information available at the time of writing on 16/3/21.

If you have any questions on this blog, please do contact Paul at paul@paulticher.com