Here, Eleanor Green provides a guide for footballers (and other athletes) looking to maximise their commercial income and maintain control over their image rights.
Read more
Cloud computing has revolutionised the way that we do business, on many levels. Cloud storage solutions allow businesses to store, access and share data in a way that is cost-effective and limitlessly scalable, with unparalleled security and support, without having to worry about maintaining physical servers.
Since the introduction of the GDPR, many businesses have taken to ensuring that their cloud storage providers’ data centres are located in the UK or the EU in order to avoid complications around “restricted transfers” under the GDPR, and this is still likely to be advisable for security purposes.
However, as we approach the end of the Brexit transition period and wave our final goodbyes to the EU regulatory regime, the legal position is changing once again and the question arises as to where the best place is for a business to locate its data centres.
What’s changing?
From 1 January 2021, the UK will no longer be treated as though it is part of the European Economic Area (EEA) for the purposes of the GDPR – we will become a “third country”.
Unless the European Commission adopts a decision prior to that date that the UK regulatory framework provides adequate protection for personal data (which is looking increasingly unlikely as the New Year draws closer), transfers of data to UK organisations which are subject to the EU GDPR (e.g. where they relate to data about EU individuals) will be subject to the GDPR’s restrictions around international transfers in the same way as transfers to countries such as the US, India or China.
This means that:
- Transfers of personal data by EU organisations to the UK will become “restricted transfers”; and
- If a UK organisation holds personal data about EU individuals (e.g. if it supplies products or services to EU customers), then the transfer of that data to a UK organisation, including its own cloud storage providers, will become “restricted transfers”.
What’s the deal with restricted transfers?
Essentially, the EU GDPR prohibits the transfer of personal data to third countries unless certain safeguards are put in place.
There are certain countries which have the benefit of an “adequacy decision” from the European Commission, meaning that they are deemed to offer a sufficient level of protection of personal data and the availability of suitable rights and remedies for data subjects such that no further safeguards are needed.
For other third countries, there are a number of mechanisms anticipated under the GDPR by which these transfers of personal data can be made lawfully. Some of these are yet to be put into practice and, as such, are currently unavailable. However, two of the primary mechanisms for making these international transfers lawfully are:
- The use of standard contractual clauses (SCCs), approved by the European Commission, in a contract which governs the transfer between the data exporter and the data importer; and
- Binding corporate rules between an international group of companies which ensure protection of personal data and effective rights and remedies for data subjects notwithstanding the laws of the different territories in which they operate.
The use of SCCs in a contract between parties is possibly the most common safeguard adopted by UK businesses for these purposes and, in many cases, this can be implemented without too much headache. However, this is not always the case.
Difficulties with standard contractual clauses
There are a couple of key issues with the use of standard contractual clauses that can make it difficult in some cases to achieve these transfers lawfully.
Negotiated contracts vs standard terms of business
In the case of many large and reputable service providers such as cloud storage or web hosting companies, it may be difficult (if not impossible) to obtain a bespoke, negotiated contract, rather than simply signing up to the standard T&Cs on their website.
The first problem therefore arises where the service provider’s standard terms do not incorporate the necessary SCCs. If a cloud storage provider uses data centres based in the US and their standard terms only contain basic data-processing provisions that might be suitable for domestic transfers, then it would be a breach of the regulations for a UK or EU business to transfer and store personal data about EU/UK individuals on those servers.
The second problem is that the proper use of SCCs requires there to be a level of detail included in the appendices to the contract about the specific types of personal data and categories of data subject to which that data relates. Again, obtaining a bespoke contract that sets out this level of detail with a tech giant such as Microsoft or Amazon (AWS) may be difficult, certainly for smaller businesses.
Schrems II and the requirement for supplementary measures
The second headache when it comes to the use of SCCs arises out of the recent CJEU decision in the case known as Schrems II, which invalidated the EU-US Privacy Shield (which was, until July 2020, the mechanism by which transfers of data could be made to the US with few additional safeguards).
Whilst Schrems II confirmed that the use of SCCs remains a valid option for making international transfers of data lawfully, it highlighted that the use of the SCCs in a contract alone may not be sufficient.
The key purpose of the SCCs is to ensure that an essentially equivalent level of protection would be afforded to the data in the recipient country as it is in the EU and, if the parties have any concerns over the data importer’s ability to comply fully with those clauses (for example, in the case of the US where the receiving party is unable to do anything about the US public authorities wide ‘snooping’ abilities) then supplementary measures are required in addition to the SCCs to ensure that that level of protection is achieved.
After a 4-month period of baffling uncertainty, on 11 November 2020 the European Data Protection Board issued draft recommendations as to what types of supplementary measures could, or should, be taken in cases such as these – with measures such as state-of-the-art encryption playing an important role.
However, the issue remains that organisations intending to make restricted transfers of personal data are required not only to conduct due diligence on the recipient organisation, but also to consider the extent to which the national laws in the third country may impact on the protection of the data and the recipient organisation’s ability to fully comply with the SCCs, before proceeding with the transfer.
Finding the best location for storage of personal data
Where it is possible to implement bespoke SCCs in a contract, and particularly where further measures can be taken to ensure the protection of that data after transfer, the door remains at least partially open to using cloud storage solutions based outside the UK or EEA. However, it is clear from the issues discussed above that this is not always as easy as it seems.
Further, there is a reasonable chance that from the start of next year, transfers of personal data (which are subject to the EU GDPR) to UK service providers may become restricted transfers as well.
Businesses which operate solely within the UK and offer their products or services only to UK individuals may safely determine that the UK is the best place for their data to be located. They will be outside the scope of the EU regulations and domestic transfers will not be restricted under UK law.
However, for a UK business which processes personal data about EU individuals (for example, where it supplies goods or services to EU individuals), the safest option for the time being may in fact be to ensure that the data is stored on servers located in the EU, as the UK government has committed to ensuring that UK-to-EU transfers will not be restricted after Brexit.
There is, however, a question as to whether the UK business’ access to its own data stored on EU servers would constitute a “transfer” for these purposes, which (if so) would require safeguards such as SCCs to be put in place in any event. This is a question which is yet to be addressed by the EDPB, the ICO or other data protection authorities across Europe, and which we intend to comment further on in due course.
If you have any concerns about your transfers of personal data or your preparations for the upcoming changes in 2021, our expert data protection team can provide whatever level of support you may require.
