The story of the last three years and European General Data Protection Regulation 2016/679 (GDPR) has been interesting. It began with the initial panic and floods of emails received as businesses updated their marketing lists and obtained ‘consent’ from the data subjects already on their marketing or customer lists.
Then came the first ICO enforcement actions and whopping fines, through Schrems II and the Brexit “bridge” to the current questions about adequacy (will the EU agree that the UK GDPR is an adequate processing system?) and the new standard contractual clauses (SCCs). But has the GDPR really disrupted the business of data?
The GDPR has required businesses to react and adapt, and we have seen many great examples of quick and efficient compliance to avoid the disruption many feared. The business of data (businesses who really deal in data as their core activity) has generally adapted well and made the required changes. On a smaller scale, however, data in business has been disrupted and continues to cause some business disruption.
Many companies have made their moves towards compliance very successfully and continue to monitor and update their privacy policies, implementing data processing or sharing agreements with their business partners and ensuring their own internal organisation reflects compliant practice.
Cases such as the H&M employee records have alerted businesses to the correct management of their HR records, and big fines imposed for spam-marketing, or for hacking incidents of insecure IT systems, has sensitised many businesses to the need to examine their treatment of customer and marketing lists as well as their IT systems testing compliance.
We have seen businesses around the world adjust to the new EU/EEA compliance regime with different attitudes; the big data storage providers were quick to respond by providing EEA-based servers to ensure that personal data could remain within the EU/EEA territory, in order to avoid the issues around restricted transfers and be able to retain their clients. This area seemed initially to be a big hurdle but was minimised by the investment and action of the big storage providers who provided compliant solutions – so here there was minimal disruption and European personal data was migrated over and brought back from storage outside the EEA.
Software developers, consultants and service providers around the world have familiarised themselves with the European Commission SCCs in order to be able to continue to provide their services to their European clients and customers. Once the correct contracts are in place (and the correct compliant technological measures have been taken to ensure the safe transferring of personal data), this business of data has not seen great disruption either.
We are still advising on how to effect these data transfers (either to processors or to other controllers), which demonstrates that many businesses are still taking the steps to adapt. While one may ask how the EU would enforce against these entities in third countries anyway, the key is that the European-based entity must comply and the European-based data subjects expect business to comply – so this requirement is being contractually passed on as a ‘must have’ requirement. The accountability of the European entity and the awareness of the European data subjects (consumers) has been the main driver for compliance and in order to avoid loss of business, compliance by businesses outside the EEA has followed.
Some global businesses chose the route of Binding Corporate Rules (BCRs) to be able to continue to process their data intra-group seamlessly. The biggest issue initially was the long delay between providing draft BCRs to a supervisory authority and having these signed off, but eventually this potential source for disruption has been reduced and data processing out of the EEA into other group companies in third countries, which are known as ‘restricted transfers’, now go ahead smoothly based on the BCRs.
Then came the Schrems II decision of 16 July 2020 to cause further headaches, especially with US-based businesses who received EEA-personal data. The uncertainty of how to ensure compliance and security of personal data transferred to the US has cast a long shadow over transfers of data Stateside.
Advice has often had to be that personal data cannot be compliantly transferred and that the most practical solution would be for the data to stay in the EEA and be managed on EEA-based servers, accessed by EEA-based staff. This has caused some disruption to data flow and business and has potential to affect not only the US transfers of personal data but transfers of personal data to other territories where the security of the personal data cannot be overseen and guaranteed by the two contracting parties. Enforcement will be (again) against the EEA-based entity exporting the personal data, leaving them exposed to enforcement action by the supervisory authorities of their home country for making a “restricted transfer” without procuring adequate protection of the personal data.
The risk to the US counterpart is less, so the commercial realities are often the deciding factor. The UK supervisory authority – the Information Commissioners Office (ICO) – has yet to take any steps towards enforcement of the Schrems II judgment on US-transfers (and at the moment, seems unlikely to). But the German supervisory authority has banned one Bavarian business form using Mailchimp (which routes personal data through the US servers). This may be important to note for UK-based businesses who have European subsidiaries, against whom European supervisory authorities can enforce.
In terms of business disruption, the Schrems II judgment still poses some threat, and advice is to have a plan B if your business is continuing to transfer personal data on the basis of Privacy Shield or SCC arrangements to the US.
The new SCCs do not entirely help either; they are a necessary update to the previous version of the SCCs (which were provided in 2010, well before the GDPR was introduced in 2018, and therefore not drafted for the GDPR) and reflect the GDPR requirements for compliance, but do not solve the over-arching problem of Schrems II. The new SCCs provide a framework for the making of necessary organisational and technical provisions for the safeguarding of personal data, but they cannot circumvent the primacy of the state in the US being able to surveil all electronic communications.
Finally, the new version SCCs apply to EEA-personal data only; due to Brexit, the UK has adopted the old version SCCs but not automatically the new versions. This may cause a hiccup to data flowing from the EEA to the UK and potentially onwards from the UK to a further third country, as the old SCCs will no longer be compliant for EEA personal data beyond the 27 September 2021. Ideally, and logically, the UK will adopt the new version SCCs to smooth this issue over – the new SCCs will match the domestic UK GDPR (and Data Protection Act 2018) better in any event.
Brexit and adequacy
Brexit may soon also start to pose a problem for the continued smooth flow of personal data from the EEA to the UK. To date, the “Brexit bridge” has been in place to allow for personal data to continue to be transmitted to and fro, but that bridging arrangement is due to run out shortly. As covered by my colleague, the UK becomes a third country for the purposes of GDPR and personal data transfers from the EEA, and will need the new SCCs to proceed.
We may yet be saved by a timely adequacy decision, but the clock is ticking.
While the UK is no longer bound to follow the GDPR as a result of Brexit, it would appear unlikely that rejecting the GDPR (which is currently also domestic law) is the best means to avoid disrupting data flow. What’s more, the EU are in discussions with the US to find a solution to the Schrems II situation, although we await updates on progress.
The protection of personal data as a personal and individual right over its potential value as a business asset, has had a disruptive effect on the business of data. Many businesses have had to reorganise and adapt, some businesses even shutting down some aspects of their activities which were no longer permitted, or which simply were not compliant with the rights created by the GDPR. But disruption can bring improvements in standards too, and there are strong arguments in favour of regulating the uses of personal data and the protection of privacy.
The threat of large fines was the initial impetus; however, three years on, the reputational damage caused by non-compliance is almost as persuasive, and many businesses now advertise their data compliance as a selling point and proof of their trustworthiness.
European consumers have become more aware and sensitised to the value of their personal data and resentful of being the target of advertising from the crassest spam to the subtler cookies or “tailoring” of their landing page, and businesses are aware that consumer power can make itself felt, aside from the power of any supervisory authority.