International business faces post Brexit data threat warns legal expert

From 1 January 2021 the United Kingdom will lose its automatic status as a safe destination for EU data when it falls outside of the EU’s legal jurisdiction. This will affect all EU data to be transferred to the UK (or any ‘third country’ that is not an EEA member.)

According to Phil Brown, a specialist lawyer at Conexus Law, it is doubtful that transfers from the EU to the UK will be compliant with GDPR following court case in October which held UK law incompatible with EU law – and similarly no transfers to the US would be compliant following a judgement in July 2020 which rendered Privacy Shield invalid.

“This clearly poses a huge threat to international business and it is hard to see that it will be allowed to continue, although equally the contrasting views of Europe and the US as to data protection mean it is a difficult one to see resolved without wholesale legislative changes to either the European or US regimes. The UK is clearly more aligned with the rest of Europe, and so one would hope that the differences can be resolved swiftly and effectively but given the political implications of Brexit across Europe there remains a distinct lack of clarity,” comment Phil.

Phil has created a guidance paper on the subject which outlines the possible options for businesses and likely outcomes.

HOW CAN CONEXUS LAW HELP?

Businesses and individuals will need legal advice to help them understand the risks they may face and the options that may be open to them.
We are available to assist in reviewing the laws in many jurisdictions across the world, and to review specific contracts. We are also available to provide practical, business-orientated advice on how to best protect yourself from the ongoing commercial effects of Covid-19.

Contact

For further advice on GDPR or pursing your contractual rights, please contact Philip Brown.

T: +44 (0)20 7390 0289
M: +44 (0)7887 538308
E: philip@conexuslaw.com

 

Law firm warns of Post Brexit GDPR impact

Conexus Law, the specialist advisory firm that provides legal and commercial advice to clients who work in sectors where the built environment, technology, engineering and people converge, is urging companies to prepare for the strong possibility that the EU will fail to agree that the UK has an “adequate data protection regime” after the transition period at the end of the year. This will mean that businesses will face barriers transferring personal data to and from the UK to EU countries under GDPR. The warning comes on the back of the ruling by the European Court of Justice at the beginning of July that reversed the prior adequacy decision of the EU for the USA – rendering its Privacy Shield ineffective.

Ed Cooke, Founder at Conexus Law said: “The UK’s use of mass surveillance techniques, our Investigatory Powers Act, and our membership of the Five Eyes intelligence sharing community has raised particular concerns with the EU – especially in relation to the sharing of data with the US, and even more so given the recent Schrems II decision on the Privacy Shield scheme. What is clear is that once a decision has been made then companies will need to move quickly to ensure they are not severely impacted.”

Failure to reach an agreement would mean that companies will need to look at alternatives such as Standard Contractual Clauses and binding corporate rules. Ed reiterates that merely relying on consent is not really an option for most businesses.

“Each of these options has its challenges with consent generally viewed to be unworkable as it can be revoked at any time. Standard Contractual Clauses were upheld in the ECJ in its judgment on Privacy Shield, but the judges did cast some doubt on whether or not these offer suitable protection in all cases without businesses adopting further practical measures such as encryption, to ensure the protection of personal data,” explains Ed.

Conexus Law is advising companies to start preparing now. Companies should already have a full audit of what personal data they collect and where it is stored and transferred to, including back-ups that may be held by cloud-based providers with datacentres all over the world. This audit needs to include all suppliers and partners that data is shared with. The next stage is to look at standard contractual clauses and decide whether further measures are required based on the specific data being transferred. If not, consideration should be given additional methods such as encryption.

“It seems that an adequacy ruling under GDPR is being used as a BREXIT bargaining chip in relation to other unrelated diplomatic negotiations taking place. Unfortunately, businesses may end up bearing the brunt of this and I would highly recommend that they start to prepare now,” concludes Ed.