Financial firms could be dealt a fresh batch of operational burdens due to Brexit if the European Commission (EC) decides that UK privacy laws offer an inadequate level of data protection for transferring personal data between the UK and European Union member states. If adequacy is not granted, compliance and operations teams of firms in the European Economic Area (EEA) will need to undergo onerous paper exercises and establish bilateral or multilateral data protection safeguards.

“The main hit for businesses is having to conduct fairly extensive repapering exercises because, in most instances, businesses haven’t actually had to create a huge amount of paperwork for transferring data from the EU and the UK, or the other way around,” says Arnav Joshi, senior associate at Clifford Chance, an international law firm. “So, it is going to cause quite a bit of heartache in terms of having to create that extra paperwork.”

At the end of the Brexit transition period on December 31, 2020, the UK became a third country to the EU, an area that falls outside of the EU’s General Data Protection Regulation zone. While GDPR principles have been incorporated into UK legislation, the EC must first deem its laws adequate to allow businesses in the EEA to continue transferring personal data to and from the UK without restrictions or applying added safeguards. The UK has already granted the EU adequacy.

As part of the new trade deal between the two blocks, the EU has delayed any restrictions for four months—with the potential of extending that by an additional two months—to allow for the EC to determine its adequacy decision. This review period is also known as the bridge.

It’s not only that we need [a single] standard contractual clause for a bank; they will probably need thousands of them

Aleksandra Wojcik, AFME

Without adequacy, industry firms in the EEA will have to implement what are known as standard contractual clauses, or model clauses. While SCCs are not new to businesses, as they are used to transfer data to other third countries that do not have adequacy decisions for them—the US, for example—the difference is the sheer volume of contracts that will need to be drafted by the likes of banks, trading firms, or vendors to avoid breaching EU GDPR rules.

“It’s not only that we need [a single] standard contractual clause for a bank; they will probably need thousands of them,” says Aleksandra Wojcik, senior associate for policy, technology, and operations at the Association for Financial Markets in Europe (AFME). “Our members are in the wholesale capital markets space, so we are talking about thousands of standard contractual clauses that will have to be put in place.”

Alex Scheinman, director of privacy at ACA Aponix, a provider of compliance solutions, describes several scenarios in which a no-adequacy decision would prove problematic for financial firms. He says EEA-based firms can raise funds from institutional investors across the UK and EU, without any restrictions on the data they collect, or move between the different countries. But in the absence of an adequacy decision, raising such funds from entities in the UK will involve an added layer of complexity, requiring model clauses and individual agreements with institutional investors. Other relevant scenarios would include disrupting the movement of human resources data or client information between the UK and EU member states.

Scheinman adds that there is more to an SCC than just signing a piece of paper.

“You are signing up to say, ‘I am more or less committed to GDPR, but I’m also committed to notifying the exporter or the importer of data when there are changes in the data that’s collected, stored, or processed,’” he says. “So, there is more than just signing a contract; you are also committing to certain behaviors and rules, and you add certain obligations to either notify regulators or notify the data exporter when you’re using new third parties, for example. So, there’s quite a bit to wrap your head around.”

Complying with data protection rules and putting SCCs in place also require financial firms to have better visibility of their data flows. The more partnerships or relationships a firm has with other third-party entities, the more complicated that web of data becomes, says a data privacy counsel at an international technology and data firm.

“A lot depends on the structure of the company, as some companies may have very easy data flows, and they just transfer data from the UK to the US, and put a contractual clause in place and it’s done. But you may also have other entities you are involved with outside of the US and UK, so then it starts to get a bit more complicated,” they say.

There are alternative agreements that companies can use called binding corporate rules (BCRs), which allow contracts for transferring data to be formed with companies on a group level. This can drastically reduce the number of contractual agreements needed, but BCRs require a heavy volume of paperwork and can take up to a year to be approved by the EC, says Clifford Chance’s Joshi. This burden of work would include defining the type of data being transferred, laying out the measures put in place to protect it, and identifying the types of data subjects involved.

More red tape: Schrems II

Implementing SCCs will also become much more challenging in the months to come. In November 2020, the EC also introduced new SCC changes that will take effect later this year. Firms will be given a grace period of one year to repaper and comply with the rule from the implementation date.

“Once the new standard contractual clauses are adopted, members and all businesses operating in the EU will only have one year to change or repaper to the new standard contractual clauses,” Wojcik says. “Our members may be in a situation where they’re ready with the old standard contractual clauses, but will possibly have to do a repapering exercise all over again to live up to the standards of the new standard contractual clauses.”

Wojcik says AFME is advocating to extend the grace period to three years, rather than one, to allow banks to have more time to update their SCCs.

The new SCCs aim to offer an additional layer of protection when moving data. In drafting the new SCC, the EC also considered the decision made by the Court of Justice of the European Union (CJEU) in the Schrems II case, which invalidated the EU and US Privacy Shield, a legal mechanism that allowed for the transfer of data between the two blocks. The Privacy Shield was deemed invalid due to invasive US surveillance laws, and failed to meet the same data protection standards required by the EU, thereby requiring the US to use SCCs to move its data. The main issue is that US laws stipulate that in the event of an investigation, the US government has the authority to access personal data stored or processed by a company located in the US—something the CJEU deems “disproportionate interference with the rights to protection of data and privacy” under GDPR.

In reaction to the Schrems II ruling, the EC has updated the SCCs to include more stringent obligations for firms when transferring data to and from third countries. Kathryn Rogers, partner at UK-based law firm Cripps Pemberton Greenish, says establishing SCCs will no longer be a tick-the-box exercise. Rather, those involved in transferring data within a firm—say, a bank or an asset manager—will have greater responsibilities.

“As a result of Schrems II, the EC said it’s not enough to simply put in place SCCs blindly and not think about it any further,” Rogers says. “The person making the transfer also needs to consider a number of factors, such as whether the data subjects actually have protection in the country to which the data is being transferred, the level of data being transferred, the reason why it’s being transferred, and whether the company you’re transferring it to has a track record of keeping data safe.”

Joshi also says that because of the Schrems ruling, firms will also have to conduct continuous assessments, rather than a one-time contractual exercise, to ensure the SCCs are regularly reviewed and updated to meet the needs of the EU’s data protection requirements, the Schrems ruling, and other regulations evolving around the issue of human rights.

Playing politics 

While most sources spoken to for this article are hopeful that the EU will grant the UK adequacy, there are some recent court decisions that have cast some doubt. In October 2020, the CJEU deemed the bulk of the UK’s data collection regime illegal under EU law. The ruling stated that UK’s Investigatory Powers Act (IPA) violated fundamental rights to privacy and data protection under GDPR because it required companies such as telecommunications firms or internet service providers to retain communications data and enable UK security agencies to access it in an investigation.

With the US system, there is no independent redress of how a government authority would exercise its powers under these surveillance laws, whereas in the UK, any exercise under the surveillance laws is subject to independent redress in what is a very strong judiciary and court of law

Arnav Joshi, Clifford Chance

Joshi says the difference between the US surveillance regime and the UK’s IPA is that the UK system requires an independent redress or judiciary warrant to exercise these powers, which might offer the EU some comfort.

“For instance, with the US system, there is no independent redress of how a government authority would exercise its powers under these surveillance laws, whereas in the UK, any exercise under the surveillance laws is subject to independent redress in what is a very strong judiciary and court of law,” he adds.

While no one can fully predict what the EC will decide in the coming months, Rogers says a no-adequacy decision would demonstrate to other countries how challenging it can be to achieve a level playing field with the EU on data movements, particularly given that the UK’s laws on GDPR mirrored those of the EU upon its departure from the block. At the same time that it made the UK ruling, the CJEU called out EU member states Belgium and France for having unlawful surveillance regimes, in terms of data retention and collection practices for security services, failing to meet GDPR requirements. 

Legal readings aside, politics may also play a role in trying to retrieve concessions from the UK in other aspects of the trade negotiations. Joshi says data transferring and adequacy could become yet another pawn in the game of politics.

“This could just become a political bargaining chip,” he says. “So, it may not be 100% about the laws or about the data transfers; they would just know that because data transfers are important to both sets of negotiating parties, they could then apply higher standards [on data privacy] than they otherwise would [have before].”