Banking data and Brexit: last-minute priorities for financial institutions
Elizabeth Denham, UK Information Commissioner, wrote a letter published in the Financial Times on November 30th. In it, she warned that businesses who were relying on the UK reaching EU equivalency around data laws were “taking too great a risk.” As we approach the last week of December and the deadline for negotiations looms, a no-trade deal Brexit is looking increasingly likely. Firms have had plenty of time to plan for this eventuality, but even so, the uncertainty that lies ahead, compounded by the impact of a global pandemic, means firms need to ensure they’ve done everything they can to prepare.
In July, the European Central Bank (ECB) outlined three key priorities for banks in the lead up to December 31st. These were:
The ECB has put a lot of emphasis on banks reaching their “end-state target operating models” as soon as possible. This process includes recruiting European-based employees with “sufficient seniority and skills”; making the necessary transfer of material assets (such as data storage facilities) to the EU, and ensuring trading desks are not split over several legal jurisdictions. Firms which haven’t made these preparations will be considered as non-compliant with the ECB’s requirements. “The ECB’s expectation is very clear: all activities related to European products or European customers should, as a general principle, be managed and controlled from entities located in the EU,” it said.
CCPs: avoiding the “cliff edge”
Although December 31st is the final deadline for trade negotiations, UK central clearing counterparties (CCPs) were given temporary equivalency until June 2022. This means that in terms of trading over the counter (OTC) derivatives, the status quo will be maintained for a little while longer. However, as the ECB was eager to point out in its blog post on the matter, this merely postpones the inevitable and firms should act now to alleviate the impact further down the line. “It remains critical for the industry to continue these actions in order to avoid possible new cliff-edge risks at a later stage. Where equivalence is time-limited, the cliff is still there. It is simply further away.” It is possible a similar arrangement could be made for UK data laws last-minute, but like the CCPs scenario, it’s important that firms assume they will be working from a third-country standpoint in order to avoid a plummet into the unknown.
Data rules: still unclear
Within the UK, the EU’s GDPR (General Data Protection Regulation) is more or less replicated in a slightly amended UK version (the Data Protection Act 2018) applicable after Brexit. However, there are still serious implications for the handling of cross-border data after December 31st and this is one area which is still a source of great uncertainty for financial institutions and indeed anyone who handles their data. The free flow of data between the EU and the UK is not guaranteed after the transition period ends and organisations must implement alternative arrangements to ensure that data can continue to legally flow from the EU/EEA to the UK. Data transfers between the EU and the UK after this time will become “restricted transfers” and so firms will need to create special “transfer mechanisms” (such as the EU Standard Contractual Clauses) in order to move their data to or from the EU.
The UK has said data can continue to be transferred from the UK to the EU after the transition period because it is satisfied that the EU’s rules align with its own, but this decision will be kept under review. The EU, however, has made no such decision and so firms should now be prepared to treat the UK as a third country - i.e. outside of the EU’s data jurisdiction - by the end of the year.
Data transfers from non-EEA countries to the UK will need to comply with that country’s specific data protection rules.
Employing a GDPR representative
By January 1st 2021, financial institutions will be required to employ a dedicated GDPR representative in the UK and/or the EU if their operations are deemed under the extraterritorial scope of the EU/UK data protection rules. US (and other third-party country) organisations with EU representatives previously based in the UK will also need to make this change and ensure they have a representative who is physically based within the EU.
No more ‘one-stop shop
Many UK organisations will no longer be able to take advantage of the GDPR’s so-called one-stop shop measures. These are EU merger rules which allow a single supervisory authority to act as the lead on behalf of the other EEA supervisory authorities. This means only dealing with a single regulator responsible for enforcing the GDPR across the EU. If equivalency is not reached, this could make meeting data protection requirements extremely complex, as firms will be answerable to several authorities in several countries - and could therefore be fined by numerous bodies.
In order to maintain access to the GDPR one-stop shop system, the firm would need to move its data-processing operations to an EU-member state. Most banks have already put these measures in place - though some have been delayed significantly due to COVID-19 travel restrictions. The ECB has made clear its position on this: “It is important to note that remote working arrangements do not change the fundamental need to relocate staff to the EU,” it said in November. “Ensuring that banks have a physical presence within the EU to the extent necessary is a prerequisite for achieving prudent risk management and effective supervision. The ECB looks forward to receiving evidence that staff subject to relocation have been or will be duly integrated in the entity under European banking supervision.”
Firms that have taken these relocation measures will need to update their data protection-related documentation including privacy notices, data-processing addenda and other similar contractual arrangements, as well as internal policies and records including Data Protection Impact Assessments and also the GDPR’s Article 30 Records of Processing.
Impact of Schrems II case and the EU-US Privacy Shield ban
To add to the complexities of Brexit, if you’re a US firm, or an EU firm that transfers data between the EU and US and are using SCCs for your data transfers, you must also take into account the impact of the Schrems II case.
A ruling in July by the European Court of Justice (CJEU) banned the current EU-US data sharing security framework known commonly as Privacy Shield. The decision came after privacy campaigner Max Schrems took Facebook to court arguing that EU citizens’ data is not protected from unscrupulous US surveillance laws once it is transferred from the EU into the US. The CJEU found that Privacy Shield is not a valid way to transfer personal data outside of the EEA. The Data Protection Commission (DPC) of Ireland (where Facebook is headquartered) said: “Whatever mechanism is used to transfer data to a third country, the protection afforded to EU citizens in respect of that data must be essentially equivalent to that which it enjoys within the EU.” Although the use of SCCs was cleared in the ruling, “in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable,” it added.
This could impact banks and other financial institutions, in particular European banks that use third-party US companies for data management purposes. If a US provider either relied on the Privacy Shield or was subject to SCCs, the banks’ customers would be able to query the safety of their data and so would the regulators in the relevant countries. The CJEU has said firms must take “supplementary measures” when making international data transfers to third countries using the SCC mechanism (including to the UK after December 31st). This has been elaborated upon by the European Data Protection Board (EDPB), which has outlined a number of key recommendations for implementing supplementary measures for data transfers, including:
Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data
Brexit: banks must prepare for the end of the transition period.