On February 4, 2021, privacy expert Jonathan Armstrong joined us on ESI Survival Guide to talk about UK data transfers in a pro-Brexit world. Along the way we stopped and discussed adequacy decisions, the UK data protection practices, the GDPR, tips and tactics for those transferring data, Schrems I & II, the dreaded potential death knell of “hops” (no, not that kind of hops), fighting words, Facebook dating, privacy as an antitrust end around, French drones and French translators, Al Capone, the social media “Data Wars,” Australian vs. British reality TV and more. While the information Jonathan provided us regarding UK data transfers is as on point and invaluable as his wit, the context of our conversation was pre-UK adequacy decision. And so, it is very important that we asterisk this segment and say:
THE PROCESS TOWARDS TWO UK ADEQUACY DECISIONS FROM THE EUROPEAN COMMISSION BEGAN ON FEBRUARY 19, 2021. These two adequacy decisions applicable to EUUK data transfers fall under the GDPR and the Law Enforcement Directive. Check out the Cordery alert on the adequacy decisions here – https://bit.ly/brexadq
The full text of each of the draft decisions can be found below:
That said, below is a lengthy breakdown of the topics we discussed along with some highlights. However, do not fret, the YouTube video has timestamps if you’d like to explore our discussion on your own.
Following some announcements, I introduce Jonathan Armstrong – a world renown cross border data transfer expert and partner at Cordery based in the UK – www.corderycompliance.com. As you will learn, this prolific man has quite the impressive background comparable to a fine wine.
What does the Trade and Cooperation Agreement between the European Commission (EC) and the UK say about the transmission of data between the UK and the EU?
There is a big difference between guidance from regulators, such as the European Data Protect Board (EDPB), which is non-binding, and adequacy decisions, which are made by the European Commission, but can also be challenged. At the time of our discussion there was only a temporary treaty in effect and the status of an adequacy decision was very much up for debate. Either way, an adequacy decision ends up arguably as a political decision more so than a legal decision, which creates a number of uncertainties as laid out by Jonathan. Regardless of an adequacy decision, and despite what the European Data Protection Board (EDPB) may have said prior to February 19, 2021, it can be easily argued that the UK has “stitched” GDPR into their domestic legislation by virtue of the 2018 Data Protection Act.
What could happen if the extensions prescribed by the temporary Trade and Cooperation Agreement come and go and there is still no adequacy decision?
Jonathan goes into detail about the unique political climate currently surrounding a UK adequacy decision. He does so in the context of past administrations from Blair and the European Data Directive, through the implementation of GDPR during May, to the current Johnson administration.
He goes on to highlight the implications that a revocation of the temporary deal could have on eDiscovery and eDisclosure.
I’m with a UK company doing business in the EU and I regularly transfer data. If there is a GDPR-style regime already in effect, what is really going to change in the UK? Are there any major differences between the GDPR and the UK DPA or “UK GDPR”?
There are many reasons why an adequacy decision should be a foregone conclusion for the UK. These include:
- The UK has had data protection legislation since 1984, even before the European Data Directive.
- UK regulators have posted some of the biggest fines related to privacy violations, including two of the top five fines in 2020.
- In many respects, UK data protection law goes above and beyond the provisions of the GDPR and is even stronger.
- The EU has granted adequacy decisions to countries that are arguably less stringent on data privacy, and there are even derogations from data privacy protections from European Union member countries themselves.
Jonathan reinforces his point of an adequacy decision being more of a political decision through a few anecdotes, including the grounding of French drones used to enforce coronavirus restrictions following privacy complaints, as well as certain countries with adequacy decision, such as Japan, that have been criticized for mass surveillance programs in line with criticisms levied against the US and the UK.
What is involved with the adequacy decision process? What does a country go through to achieve this designation?
Well – dinners and schmoozing aside, the applicant country goes to the European Commission. Then the EC does an assessment to see if it checks the right boxes as being equivalent to GDPR, though not necessarily the same. Once it passes this threshold, in a nutshell, the EC goes to the EDBP and lets them know they are going to give a decision in favor of the applicant. Then, traditionally, the EDPB gives an opinion that they either agree, disagree or need further action. Often the EC will canvas opinions from the European Parliament, which is where it can get rather interesting. The EC then gives a decision which then could, and likely would, be challenged in the courts, like with Schrems I against Safe Harbor and Schrems II against Privacy Shield. Such a challenge is unlikely to be heard until 2023-2024 despite pressure groups lining up for such an effort.
How much solace does an adequacy decision even give to a UK corporation? Could the courts of a member state challenge an adequacy decision from the European Commission?
An adequacy decision does provide some comfort, but not much more than that. Even with these large challenges to data transfers, you have “micro-challenges” as well. Jonathan talks about a fraud investigation from many years ago, where the subject of the investigation argued that certain evidence could not be used because it was the fruit of an invalid transfer and Safe Harbor did not apply. Inventive individuals and their counsel will raise such issues to prevent data transfers from impacting them (e.g., a litigant in the U.S. arguing the legitimacy of a transfer to prevent documents originating in the UK from being used against her or him in a proceeding).
Jonathan raises another concerning aspect related to data transfers made by U.S. corporations from the EU to the US by way of the UK. Essentially you could have challenges to both data “hops”: the first on an invalid adequacy decision and the second on standard contractual clauses (SCCs) not being properly utilized.
The conundrum of the data protection law and US courts is alive and well – the stakes are even higher!
The age-old tight rope that one walks between violating a U.S. discovery obligation vs. non-compliance with EU data protection law is still drawn taut, but now there could be a new wrinkle in the form of the “hops” that Jonathan mentioned during the previous question.
During a little reminiscing about when we first met while prepping for a panel together at the Georgetown Advanced eDiscovery Institute in 2012, Jonathan highlights a very scary possibility – another wrinkle to the “hop” wrinkle: the notion of the double fine!
If you are interested in fines under the GDPR then I recommend that you watch this particular clip. Jonathan goes on to discuss the WhatsApp Case, where though the DPC in Ireland is the lead regulator, the rumor is that the EU DPAs cannot agree on the level of fine (does this remind you of another major action against a major social media platform?). The UK regulators have also said that once the EU is done with any fine, they will also look at their own fine. And there is it possibly folks – the dreaded double penalty!
Regulators want to get their own day in the sun and will not necessarily give up just because another regulator pinged someone who has violated data privacy. However, there could likely be a settling of this mindset, like in bribery cases where regulators give credit for fines paid in other jurisdictions.
If I want to use BCRs as my transfer mechanism as a UK company right now – what do I do?
If you have an existing BCR scheme in place you are likely ok, and if you don’t have one in place then it’s probably too late. The Information Commissioner’s Office (ICO) is likely going to respect any BCR in place prior to the UK leaving the EU so there should not be a major issue with BCRs in the context of Brexit. Jonathan goes on to discuss some interesting points regarding joint lead authority. However, BCRs are not the problem that will concern most, which will be standard contractual clauses (SCCs).
We go on to discuss the essential equivalency test, or double due diligence test, that a non-EU data importer must undertake in order for a transfer to happen in the context of SCCs. The “double” part of the double due diligence test involves the following two prongs: (1) the normal due diligence you would perform against the entity to which you are sending data, and then (2) another layer of due diligence on the location where the data importer or recipient is based. This second prong of this analysis can get very granular (i.e., a California analysis, a Virginia analysis, etc.). And with regards to granularity in this context, consider the fact that a state like California could possibly apply for an adequacy decision in its own right, which has been discussed by the European Parliament.
SURVIVAL TIP! Catalog these location-specific due diligence analyses in order to streamline future transfers. Don’t reinvent the wheel, but make sure to keep them updated.
Jonathan goes on to discuss due diligence analyses in the context of transfers pursuant to eDiscovery vs. global business operations with hundreds of processes to analyze across numerous data recipients. It’s also important to remember that many of the transfer mechanisms were engineered with regards to business data flows as opposed to making productions in a court of law. Just because you can make a B2B transfer, you still must consider that the production stage of discovery is also a transfer.
After a brief discussion surrounding BCRs and enforcement actions, we moved on to discuss the transfer mechanism that is much more commonly used, one which is currently shrouded in the most concern and controversy – standard contractual clauses.
What about standard contractual clauses? If I want to use SCCs in a post-Schrems world, what should I do?
The utilization of SCCs now is still in fairly the same place as it was post Schrems II.
SURVIVAL TIP! If you are going to rely on SCCs, limit data where you can and rely on double due diligence where you cannot.
Ultimately, we can go back to basic GPDR principles, including data minimization.
SURVIVAL TIP! Cull in-country as much as you can. This is a best practice from a data transfer standpoint as well as from a general data protection point of view. Ask yourself the following questions (in the context of transfers to the U.S.):
- Do we really need this particular data set transferred to the U.S.?
- Is there a smaller subset of data that will be adequate for our purposes?
- Can we locate the data in the U.S.?
SURVIVAL TIP! With regards to email, if the recipients are in the U.S., you may not need the emails from senders in the EU/UK.
Following the above efforts to minimize the data set, with regards to the remaining data that must be transferred, SCCs are likely the only game in town. Then you move to the double due diligence test, which also should likely include an analysis of the U.S. state to which the data is being transferred. However, even with a state-by-state analysis, it is federal law that worries most transferring parties.
SURVIVAL TIP! Remember to be realistic. There is no perfect solution, and as with most actions involved during discovery, you want to be able to show that you used reasonable, best efforts, not that you strove for perfection. And of course, remember that to show your efforts, you must document them!
Government surveillance vs. national security concerns vs. social media. We are currently seeing real challenges to technology developers, namely social media/networking companies, in that they are having to give more consideration to where they physically operate. Will the law cave to tech or will tech developers cave to evolving pro-privacy frameworks that are move localized?
I have to say that this segment is A MUST LISTEN FOR DATA TRANSFER AND PRIVACY ENTHUSIASTS!
In response to this question, Jonathan excavates an extremely eye-opening consideration regarding the regulation of Big Tech, and that the undercurrent of some of the provisions of the GDPR was an attempt to discipline Big Tech. Jonathan explains how the right to data portability began as an antitrust measure, which then fails in that regard, so it gets slotted into GDPR. He discusses how leveraging the triangle of data privacy, fair trade and antitrust can essentially help regulators support the next Sergey Brins emerge from their basement labs and challenge the technology goliaths.
Jonathan further explores the concept of data privacy as a mechanism to promote fair trade and address antitrust issues by talking about his interview with Max Schrems, the Cambridge Analytica/Facebook scandal, Facebook halting the European launch of its dating service following an inquiry by Ireland’s DPC, the creativity of regulators and the nightmare scenario that would occur if similar circumstances played out the eDiscovery context.
A little shout out to Al Capone is thrown in there for good measure.
The UK is clearly showing their intent to follow GDPR-style privacy protection principles. Does that bode well for a re-unification on the privacy front between the UK and the EU/EEA?
In term of sheer numbers, the UK is pulling its weight in terms of enforcement. In late 2020, the ICO imposed two of the largest fines in UK data breach history against British Airways (20 million GBP) and Marriott (18.5 million GBP) (it should be noted that these fines were still large despite being reduced significantly from when the ICO first issued Notices of Intent to fine these companies). While some authorities bring more actions for smaller amounts, like Spain and Romania, the UK has imposed some of the largest fines for data protection violations. Many DPOs actually regret that the UK is out of the picture because of the investigative efforts and abilities the brought to the table. The ICO is very well resourced in comparison to many other regulators.
The initial Notices of Intent as well as the Penalty Notices for each of British Airways and Marriott can be read through the links below:
Ultimately, enforcement across the EU is, in many regards, the poorer for not having the UK on the team. Frequently the UK has been a voice of sanity, which has helped business and avoided a one-sized absolutism with regards to data protection enforcement. Already some countries and advocacy groups believe, that with the pro-business, or the balanced-business, bloc being weakened, and the pro-consumer and pro-employee blocs strengthened, the time is ripe for introducing new proposals to further toughen “next generation” GDPR.
What are your thoughts about EU Courts reducing the penalties levied against entities that have run afoul of the GDPR? Is this a response to the uncertainties still present with GDPR, an erosion in European thoughts around privacy, or a response to what many believe to be Draconian penalties under the GDPR? Could a UK court invalidate a penalty levied against a UK company for violations of the GDPR?
When the GDPR emerged, the most scrutinized aspect of the regulation was the penalties that could be levied for violations.
- 83(5) – Fines can be up to 20 million EUR, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.
- 83(4) – For less egregious violations, fines of up to 10 million EUR, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher, can be imposed.
Many European courts have reduced fines imposed under GDPR, and a UK court invalidating a penalty levied against a UK company for violations of the GDPR by an EU member state could be a nightmare scenario. Though we could face such a battle in the future, as part of the temporary deal, the UK has committed to observing pre-Brexit EU case law. However, this agreement comes with many caveats, including that high level courts need not follow it in some cases, so we are in a bit of an odd limbo land. That said, appeals of fines and reductions have been successful in the UK (to the tune of approximately 302 million EUR). And there have been massive reductions across the EU (e.g., the 1&1 Telecom case in Germany where 9.5 Million EUR was reduced to 900K EUR).
With regards to fines under the GPDR, there is very little consistency. Appeals present some very unique comparative law issues and conflicts analyses, and we see that there is a great hit rate on appeals if you can get into the courts of certain countries (e.g., Austria, Germany, Sweden). Reductions are also often possible if a party makes representations to regulators after a Notice of Intent has been served, such as with the British Airways and Marriott cases discussed earlier. And, as we have seen with the recent Twitter case out of Ireland, regulators can disagree with, and ultimately dispute, the size of fines proposed by the Lead Supervisory Authority under the GDPR’s “One Stop Shop” regime, which makes a corporation subject to the regulatory authority in the country where they have their “main establishment” (i.e., headquarters).
Follow the link below to read the EDPB’s decision following the dispute over the Irish DPC’s fines levied against Twitter for GDPR violations.
Are co-regulatory models that marry industry expertise with regulatory authority the way of the future?
While individual cases have taken standards into account when, for example, assessing a data breach, formal certification programs have seen little progress. There is talk at both the national and the EU level about various certification schemes and industry led schemes, but there is not that much chatter.
What are the three items in your Post-Brexit Survival Kit?
Jonathan discusses his two post-Brexit survival kits. They include a sensible one and, as is necessary in this day and age, a comedic one:
- Jonathan’s sensible post-Brexit survival kit:
- Clarity with regards to communications to staff and clients about the litigation risk associated with data transfer positions akin to the issues underlying the Amazon case in Germany.
- The double due diligence test (applied to the UK as well).
- A plan for handling subject access requests (SARs), which have been on the rise during the pandemic.
- Jonathan’s more comedic post-Brexit survival kit:
- Restaurant knowledge (namely restaurant French). Check out the video for a hilarious story behind this survival kit item involving Napoleon’s Library, corporate poison pill defenses, and absent translators.
- A hotline to Andrew Bywater (Jonathan’s colleague at Cordery who has worked in most EU institutions, is a Brexit expert and has even worked on some countries joining the EU). No one knows the exit process, but you can know a lot about exiting by knowing the entry process and reversing it. Satellite Phone!
Are you as obsessed with The Great British Baking show as I am?
Much to my dismay, Jonathan talks about how he and his family have moved on from the Great British Baking Show and replaced it with a new guilty pleasure – Married at First Sight Australia – which has helped expand Jonathan’s vocabulary.
We ended our conversation with a fact that is sure to win the day during any trivia night worth attending. It relates to the relationship between The Great Britain Bake Off, the U.S. version The Great British Baking Show and the Pillsbury Company.
Thank you, Jonathan, for joining us and thank all of you for tuning in!
Now everyone – go visit the Cordery site, especially the news section, at www.corderycompliance.com/news/ for tons of informative content on the past, present and future of data law around the world. You can also check out and subscribe to the Cordery YouTube Channel here – https://bit.ly/3rcdPN5.
This is Matt from ESI Survival Guide telling you to please Stay Safe in the Electronic Wilderness. See you next time!