tells companies to draft contracts for data flows just in case they screw up Brexit

Data adequacy won't be assessed till after departure

The UK government has told companies to start drawing up standard contractural clauses for data transfers in case of a no-deal Brexit.

The warning comes in latest batch of technical notices released to allow organisations to prepare for the event it doesn't manage to negotiate exit terms with the European Union before March 2019.

In the notice on data protection, the government said that although it would greenlight the transfer of UK data to other member states, there were no such guarantees in reverse.

This is because the EU has to rubberstamp the standards of protection applied by the UK – known as an adequacy decision – and Eurocrats have made it clear this won't happen until the UK is out of the bloc.

That leaves a period of time between the official exit date and the adequacy decision – assuming it is granted, which is far from a foregone conclusion – when data will not be able to flow into the UK, which would be a massive blow to companies doing business in Europe.

Schoolkids in uniform studying with books/apple. Photo by shutterstock

Brit govt told to do its homework ahead of talks over post-Brexit spy laws and data flows


The government's attitude thus far has been that the two sides should recognise each other's regimes ahead of the exit date – and the UK government has been accused of being complacent about the ease with which it will get this deal.

Politicians have largely publicly ignored statements from the EU's chief negotiator, Michel Barnier, that emphasised an adequacy decision can only be taken once the bloc can assess the UK's new legal framework.

However, the technical notice acknowledged this is the reality in the case of a no-deal scenario. It aims to make the first move by saying it will recognise the two systems as aligned, but has accepted the EU won't do the same.

"While we have made it clear we are ready to begin preliminary discussions on an adequacy assessment now, the European Commission has not yet indicated a timetable for this and have stated that the decision on adequacy cannot be taken until we are a third country," the notice said.

As such, it said that companies that want to receive personal data from organisations in the EU, including data centres, need to work with their EU entities and partners to find new legal bases to cover those transfers.

"We recommend that you proactively consider what action you may need to take to ensure the continued free flow of data with EU partners," the notice said.

They put forward two approaches: derogations provided in Article 49 of the General Data Protection Regulation or set agreements offered by the European Commission known as standard contractural clauses (SCCs).

The latter is likely to be the most relevant, as derogations can only be relied upon if SCCs or another mechanism, binding corporate rules, cannot be used – and both of these have already been branded "unsatisfactory substitutes" for an adequacy deal by MPs on Parliament's Brexit committee.

A primary concern is the onus it puts on the companies, which now have less than six months to organise new contracts.

BT's Brexit boss Stephen Hurley told MPs that, with more than 18,000 suppliers, setting up SCCs would be very cumbersome, especially as the set text "isn't necessarily designed to deal with the modern ways of doing business, and the way flows of data occur in practice".

The committee concluded that the "considerable change from the status quo would place a bureaucratic burden on individual businesses, a burden which would be prohibitive for many small businesses".

There is also uncertainty about the suitability of SCCs, as they are currently the subject of a legal challenge in the EU's top court, in the long-running legal wrangling between activist Max Schrems and Facebook.

The court has been asked to rule on how much protection these clauses – which companies started to use for US data transfer after Safe Harbor collapsed – afford EU citizens whose data is being transferred.

The technical notice also said the UK "will continue to push for close cooperation and joined up enforcement action between the [Information] Commissioner's Office and EU data protection authorities".

The government has chanced its arm here before, calling for continued membership of mechanisms such as the "One-Stop Shop", which allows organisations that operate in a number of member states to deal with just one supervisory authority, and for the ICO to remain involved in the European Data Protection Board.

However, the EU has yet to suggest it will go along with such plans, and Barnier has repeatedly rejected them , saying the EU "cannot, and will not" share its decision-making powers with a third country. ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022