FAQ

Q. My company is based in the UK. Does this affect me?
A. No.

Q. My company is based outside the European Economic Area. Does this affect me?
A. No.

Q. My company is based in the European Economic Area. How does this affect me?
A. If this proposal is adopted and the European Commission does not adopt an “adequacy decision” for the United Kingdom by 31st December 2020, then the provisions of the Appendix will apply to you from that date. These give you certain rights that replicate rights you already currently have under GDPR, and create certain obligations for LINX that replicate obligations it has under GDPR.

Q. Isn’t this a bit late? Brexit happens on 31st January. Can we continue to share data with LINX between 31st January and LINX108?
A. From 31st January 2020 until 31st December 2020 you are protected by the “transition arrangements” in the Withdrawal Agreement.

Q. What happens if the UK and the EU successfully negotiate a new trade agreement?
A. We assume that a comprehensive trade deal would include the EU agreeing to adopt an “adequacy decision”. Also, if the UK and EU do not manage to agree a fully comprehensive trade deal but do manage some lesser deal, it is possible or likely that the EU will adopt an adequacy agreement as part of that deal. Even without any kind of deal, it is possible the EU will adopt an adequacy decision, as a goodwill measure or milestone requirement, or in return for other concessions; we just do not know.
Regardless of how it happens, if and when the European Commission adopts an “adequacy decision”, the provisions of this proposal would cease to apply and be superfluous. We would then expect to remove them from the MoU in due course as a tidying-up exercise.

Q. Will the adoption of these clauses create new work for LINX as a practical matter?
A. No. GDPR compliance is already obligatory, and LINX business processes must already ensure that we do so comply. The adoption of these clauses would simply make our aspects of our compliance a contractual obligation as well as being a requirement of UK law.

Q. Does this affect traffic flow in any way, in any circumstances?
A. No. Networks based in the EU/EEA routinely interconnect around the world, including in countries with no effective data protection regimes. We are not aware that the European Commission has ever viewed GDPR as any impediment to that from the point of view of the traffic transiting those networks. This proposal concerns the business relationship between LINX and LINX members in the EEA, and personal data transferred to LINX as part of managing that relationship. In practice this means contact information for members of staff at LINX members (and others similar situated, such as contractors working for LINX members), and governs our use of that contact data.

Background

Background Detail

The UK has adopted the GDPR and incorporated it into UK domestic law. It will continue to apply in the UK post-Brexit.

When the UK leaves the EU on 31^st January 2020 there is a “transition period” until 31^st December 2020: during this period the UK continues to have a treaty obligation to continue to apply EU law including GDPR, and the European Commission recognises that as effective. There is therefore no concern about GDPR as an impediment to UK-EU trade during 2020.

After the end of the transition period, GDPR will continue to apply in the UK as a matter of domestic law, and it is the current policy of the UK government that that law will not change. However, the European Commission may choose not to recognise that this is the case, or that the UK law effectively replicates GDPR. The European Commission’s decision as to whether to adopt an “adequacy decision” for UK data protection law is one of the bargaining chips the EU has in the trade negotiations between the UK and the EU that will occur during 2020.

If the European Commission does not recognise the adequacy of UK law, it could potentially be unlawful for businesses in the EU and the wider European Economic Area to export personal data to the UK. In LINX’s case, while this would not affect traffic flowing over LINX (EEA-based networks already routinely peer in countries without adequate data protection), then absent some other mitigation it could prevent LINX members in EEA countries from sharing contact information on individual employees with LINX.

As there are already many other countries which the European Commission does not recognise as having “adequate” data protection laws, there is an established mechanism to enable EEA businesses to export data to those countries lawfully. This requires the business to which the data is exported to enter into contractual commitments that replicate relevant aspects of GDPR. Those commitments must be as recognised by the European Commission, and are known as “Standard Contractual Clauses”. Typically, these are incorporated into the business’ standard terms and conditions.

LINX proposes to incorporate these Standard Contractual Clauses into the MoU. They would apply to LINX members based in EEA countries, and would come into effect on 31^st December 2020 if and only for as long as the European Commission has failed to adopt an “adequacy decision”. Once it does so, they become superfluous so our proposal would have them fall away at that point.

Changes Since Member Consultation

The Standard Contractual Clauses are legal text that cannot be changed. This was provided to us by the UK Information Commissioner’s Office. There is an Annex to the Standard Contractual Clauses that describes what personal data we collect, who it applies to (who is the “data subject”), and the purposes for which we use it.

The Information Commissioner provides a wide range of descriptions of data types and purposes for individual companies to select from.

In the consultation draft, we chose to select a broad range of types of data and purposes for which LINX uses or might use data, to ensure we had full disclosure.

Having taken legal advice, we now recognise that while we hold a range of data on LINX members for a broad range of business purposes, data on the member is not intrinsically personal data because the member is a company. The data we hold on individuals is both much more limited, and only used for much more limited purposes. With few exceptions, mostly relating to organising participation at meetings, we only use the data we hold on individuals to manage and conduct our communications with the companies they work for, and to ensure we know who is authorised to do what on the company’s behalf. Insofar as we associate data we hold on members with personally identifiable individuals, the nature of that data is generally communications between us, instructions and authorisations in relation to that data rather than the data applying to the individual themselves. For example, we hold financial data on LINX member companies, such as credit history: we do not hold credit histories on individuals who work for our members. We do hold a record of who we speak to at a member in relation to invoicing that member.

The revised Annex we are presenting for adoption more clearly reflects the nature of that relationship.