Under EU and UK data protection laws, UK SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers located in the EU to any country within the EEA. From the 30th of March 2019, when the UK leaves the EU (“Brexit Date”), the UK will no longer be part of the EEA and will become a “third country” for data protection purposes, like the USA.
The EU Commission recently confirmed in a Notice that on the Brexit Date, UK based SaaS suppliers can no longer lawfully transfer personal data of SaaS customers located in the EU (i.e. in France, Germany, Spain etc.) to the UK, unless SaaS suppliers have in place appropriate protection measures to make the transfer legal under the GDPR.
EEA Data Transfers
The EEA is the EU, Norway, Lichtenstein and Iceland. If the UK decides to become a member of the EEA in its own right, following Brexit, UK SaaS suppliers would be able to continue to transfer personal data of SaaS customers located in the EU to the UK. However, the UK government has indicated that it does not intend to join the EEA after leaving the EU. This means that prior to the Brexit Date the UK government must agree alternative arrangements with the EU to allow personal data to be transferred from the EU to the UK or SaaS suppliers themselves will put alternative arrangements in place from the Brexit Date.
The alternative arrangements that could be used by UK SaaS suppliers are currently:
- Standard model clauses;
- Binding Corporate Rules;
- Approved certification measures; or
- Consent from data subjects.
Standard Model Clauses
Standard model clauses are designed to allow EU SaaS customers transfer personal data from the EU to SaaS suppliers located outside the EEA. If the UK is not a member of the EEA after leaving the EU, SaaS customers located in the EU will need to enter into EU model clauses with UK SaaS suppliers in order to continue to transfer personal data to UK SaaS suppliers.
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in compliance with EU data protection law. If the UK is not a member of the EEA after leaving the EU, then a UK based SaaS customer will not be able to use BCRs to cover transfers outside of the EEA to a data processor, unless the SaaS customer has another entity located within the EEA. In any event, BCRs only cover inter-company transfers of personal data, not transfers of data by a SaaS customer to a third party SaaS supplier located outside of the EEA.
Approved Certification Measures
The UK government could apply for an adequacy decision from the European Commission certifying that it provides adequate protection for data transfers under English law. Currently Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are considered as having “adequate” protection. However, it is unlikely that such a decision would be granted if the UK:
- Does not continue to comply with the General Data Protection Regulation (GDPR) after the Brexit Date; or
- Changes its existing data protection laws – which are based upon a EU directive and the GDPR from the 25th of May 2018.
In any event an adequacy decision would not be approved by the European Commission prior to the Brexit Date.
EU-UK Privacy Shield
Another option would be for the UK to enter into an agreement with the EU similar to the EU-US Privacy Shield. The EU-US Privacy Shield (which replaced the Safe Harbor framework) permits EU entities to lawfully transfer personal data from the EU to the US. The UK could negotiate its own privacy shield to cover personal data transfers from the EU to the UK. Again, it is unlikely that a UK-EU privacy shield would be negotiated, or finalised, prior to the Brexit Date.
How to Prepare for Change
UK SaaS suppliers should start considering the specific changes that may need to be made to the data protection terms of their SaaS agreements and privacy policies in order to allow them to continue transferring personal data from the EU to the UK once the UK leaves the EU on the Brexit Date. This action should be taken now, regardless of which, if any, of the above actions the UK government decides to take deal in order to ensure that data transfers from the EU can continue to take place from the Brexit Date.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – The General Data Protection Regulation
- SaaS Agreements – GDPR – Local Derogations
- SaaS Agreements – GDPR – UK Data Protection Act 2018
- SaaS Agreements – GDPR – US companies
- SaaS Agreements – GDPR – Data Processing Agreement
- SaaS Agreements – GDPR – Age of Consent
- SaaS Agreements – GDPR – New German Data Protection Law (BDSG)
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Data Stored in the USA