Brexit vote will complicate, but won’t change, data protection laws
U.K. standards likely to remain as tight as they are now to ensure trade with other countries
By Thomas Spier, Special to ThirdCertainty
LONDON—Of the many shock waves reverberating from the United Kingdom’s vote to leave the European Union, one ramification of acute concern to U.S. companies doing business in Europe is how “Brexit” will affect the newly minted EU-US Privacy Shield rules and the new EU privacy rules known as General Data Protection Regulation or GDPR.
Privacy Shield is the new framework for commercial data exchange between the United States and the European Union. It is a direct response to privacy activist Max Schrems’ case, which invalidated its predecessor, Safe Harbor.
Privacy Shield aims to restore faith in transatlantic data flows while ensuring the rights of Europeans. It aims to provide legal certainty for U.S. and EU-based businesses that transfer data between the two jurisdictions. That includes Google, Apple, Microsoft, Facebook, LinkedIn, Amazon and thousands of small- and midsize U.S. companies that transact with European clientele.
Related video: How ‘Privacy Shield’ came about
Pre-Brexit, there was a palpable level of uncertainty—on both sides of the Atlantic—as to how the actual implementation of Privacy Shield would play out.
So what about post-Brexit? The immediate impact is likely to be none whatsoever, certainly not for a couple of years.
After all, the U.K. remains a bona fide member of the European Union. All U.K. laws referencing EU Directives and the European Communities Act remain in force. So all EU regulations must still be adhered to.
That status quo will remain true for longer than most people may realize. That is because the process for actually leaving will be a long and drawn out one, in which many of the questions around data transfer will be answered in due course.
The Treaty of Lisbon, which forms the EU’s constitutional basis, requires the U.K. to formally notify the EU of any intention to leave, which triggers a process illustrated under Article 50 of the treaty.
No changes imminent
This process takes at least two years and the outgoing prime minister already has stated that he will leave it to his successor to invoke the exit notice. As we will not have a new prime minister before September, the earliest we can realistically “leave” the EU is September 2018.
And our formal exit could take even longer if Parliament, which is markedly “pro-remain,” decides they don’t like the new PM, and calls for a general election next spring.
It’s worth remembering that, while the decision to leave was taken by the British people in a referendum, the manner of us leaving—and what exactly “out” looks like—is a matter for Parliament and Parliament alone.
Privacy Shield certainly has had a rocky road since its unveiling earlier this year. However, Europe and the U.K. will not want to exacerbate the current situation any further by picking more arguments with their U.S. counterparts.
The U.K. will still want to ensure that their data protection laws are stronger than before, up to date and protect their citizens. So we are likely to adopt a similar framework to operate in tandem with Privacy Shield, even post-Brexit. This would be similar for the new GDPR.
Canadian model attractive
An alternative relationship with Europe that has found a lot of favor here is the Canadian model, which means we adopt common regulation on capital, goods and services to allow for free trade. This would include still adopting the laws that would align with Privacy Shield and GDPR.
To be sure, Brexit is likely to complicate matters. That said, it is unlikely to fundamentally change anything. One must remember that the EU has good relations with their non-EU neighbors such as Norway and Switzerland. The U.K.’s Information Commissioner’s Office (ICO), which oversees privacy rules and helped craft GDPR, also has historically operated in relative privacy harmony with non-EU nations.
Specifically on GDPR, the regulations will apply across the board if your business handles data about an EU citizen, regardless of where you are based. If a U.S.-based company has data about a European, it needs to comply with GDPR and Privacy Shield.
Given how entangled Europe’s economies have become over the past 40 to 50 years, the vast majority of businesses will find it impossible to distinguish between the data they hold on U.K. nationals and that of EU nationals.
Businesses back Privacy Shield
The most likely outcome, at the moment, will be for the U.K. to adopt Privacy Shield in full and/or pass something exactly the same through our parliament. The same goes for GDPR. Businesses of all sizes are lobbying for this action.
In closing, it’s noteworthy that the ICO issued a statement immediately following the Brexit vote. It speaks for itself and bears repeating:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms, we would have to prove ‘adequacy’—in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organizations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary,”
Paul Keane, IDT911 European Operations Manager, contributed to this essay.
Read more stories about data protection laws:
Privacy Shield aims to bridge EU-U.S. digital privacy gap, but question marks remain
Safe Harbor ruling sends big ripples through U.S. companies
Devil is in the details for Canada’s data breach disclosure law