Conexus Law, the specialist advisory firm that provides legal and commercial advice to clients who work in sectors where the built environment, technology, engineering and people converge, is urging companies to prepare for the strong possibility that the EU will fail to agree that the UK has an “adequate data protection regime” after the transition period at the end of the year. This will mean that businesses will face barriers transferring personal data to and from the UK to EU countries under GDPR. The warning comes on the back of the ruling by the European Court of Justice at the beginning of July that reversed the prior adequacy decision of the EU for the USA – rendering its Privacy Shield ineffective.
Ed Cooke, Founder at Conexus Law said: “The UK’s use of mass surveillance techniques, our Investigatory Powers Act, and our membership of the Five Eyes intelligence sharing community has raised particular concerns with the EU – especially in relation to the sharing of data with the US, and even more so given the recent Schrems II decision on the Privacy Shield scheme. What is clear is that once a decision has been made then companies will need to move quickly to ensure they are not severely impacted.”
Failure to reach an agreement would mean that companies will need to look at alternatives such as Standard Contractual Clauses and binding corporate rules. Ed reiterates that merely relying on consent is not really an option for most businesses.
“Each of these options has its challenges with consent generally viewed to be unworkable as it can be revoked at any time. Standard Contractual Clauses were upheld in the ECJ in its judgment on Privacy Shield, but the judges did cast some doubt on whether or not these offer suitable protection in all cases without businesses adopting further practical measures such as encryption, to ensure the protection of personal data,” explains Ed.
Conexus Law is advising companies to start preparing now. Companies should already have a full audit of what personal data they collect and where it is stored and transferred to, including back-ups that may be held by cloud-based providers with datacentres all over the world. This audit needs to include all suppliers and partners that data is shared with. The next stage is to look at standard contractual clauses and decide whether further measures are required based on the specific data being transferred. If not, consideration should be given additional methods such as encryption.
“It seems that an adequacy ruling under GDPR is being used as a BREXIT bargaining chip in relation to other unrelated diplomatic negotiations taking place. Unfortunately, businesses may end up bearing the brunt of this and I would highly recommend that they start to prepare now,” concludes Ed.