Brexit vote will complicate, but won’t change, data protection laws

U.K. standards likely to remain as tight as they are now to ensure trade with other countries

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

LONDON—Of the many shock waves rever­ber­at­ing from the Unit­ed Kingdom’s vote to leave the Euro­pean Union, one ram­i­fi­ca­tion of acute con­cern to U.S. com­pa­nies doing busi­ness in Europe is how “Brex­it” will affect the new­ly mint­ed EU-US Pri­va­cy Shield rules and the new EU pri­va­cy rules known as Gen­er­al Data Pro­tec­tion Reg­u­la­tion or GDPR.

Ed note_IDT911_Thomas SpierPri­va­cy Shield is the new frame­work for com­mer­cial data exchange between the Unit­ed States and the Euro­pean Union. It is a direct response to pri­va­cy activist Max Schrems’ case, which inval­i­dat­ed its pre­de­ces­sor, Safe Har­bor.

Pri­va­cy Shield aims to restore faith in transat­lantic data flows while ensur­ing the rights of Euro­peans. It aims to pro­vide legal cer­tain­ty for U.S. and EU-based busi­ness­es that trans­fer data between the two juris­dic­tions. That includes Google, Apple, Microsoft, Face­book, LinkedIn, Ama­zon and thou­sands of small- and mid­size U.S. com­pa­nies that trans­act with Euro­pean clien­tele.

Relat­ed video: How ‘Pri­va­cy Shield’ came about

Pre-Brex­it, there was a pal­pa­ble lev­el of uncertainty—on both sides of the Atlantic—as to how the actu­al imple­men­ta­tion of Pri­va­cy Shield would play out.

So what about post-Brex­it? The imme­di­ate impact is like­ly to be none what­so­ev­er, cer­tain­ly not for a cou­ple of years.

After all, the U.K. remains a bona fide mem­ber of the Euro­pean Union. All U.K. laws ref­er­enc­ing EU Direc­tives and the Euro­pean Com­mu­ni­ties Act remain in force. So all EU reg­u­la­tions must still be adhered to.

That sta­tus quo will remain true for longer than most peo­ple may real­ize. That is because the process for actu­al­ly leav­ing will be a long and drawn out one, in which many of the ques­tions around data trans­fer will be answered in due course.

The Treaty of Lis­bon, which forms the EU’s con­sti­tu­tion­al basis, requires the U.K. to for­mal­ly noti­fy the EU of any inten­tion to leave, which trig­gers a process illus­trat­ed under Arti­cle 50 of the treaty.

No changes immi­nent

This process takes at least two years and the out­go­ing prime min­is­ter already has stat­ed that he will leave it to his suc­ces­sor to invoke the exit notice. As we will not have a new prime min­is­ter before Sep­tem­ber, the ear­li­est we can real­is­ti­cal­ly “leave” the EU is Sep­tem­ber 2018.

And our for­mal exit could take even longer if Par­lia­ment, which is marked­ly “pro-remain,” decides they don’t like the new PM, and calls for a gen­er­al elec­tion next spring.

It’s worth remem­ber­ing that, while the deci­sion to leave was tak­en by the British peo­ple in a ref­er­en­dum, the man­ner of us leaving—and what exact­ly “out” looks like—is a mat­ter for Par­lia­ment and Par­lia­ment alone.

Pri­va­cy Shield cer­tain­ly has had a rocky road since its unveil­ing ear­li­er this year. How­ev­er, Europe and the U.K. will not want to exac­er­bate the cur­rent sit­u­a­tion any fur­ther by pick­ing more argu­ments with their U.S. coun­ter­parts.

The U.K. will still want to ensure that their data pro­tec­tion laws are stronger than before, up to date and pro­tect their cit­i­zens. So we are like­ly to adopt a sim­i­lar frame­work to oper­ate in tan­dem with Pri­va­cy Shield, even post-Brex­it. This would be sim­i­lar for the new GDPR.

Cana­di­an mod­el attrac­tive

An alter­na­tive rela­tion­ship with Europe that has found a lot of favor here is the Cana­di­an mod­el, which means we adopt com­mon reg­u­la­tion on cap­i­tal, goods and ser­vices to allow for free trade. This would include still adopt­ing the laws that would align with Pri­va­cy Shield and GDPR.

To be sure, Brex­it is like­ly to com­pli­cate mat­ters. That said, it is unlike­ly to fun­da­men­tal­ly change any­thing. One must remem­ber that the EU has good rela­tions with their non-EU neigh­bors such as Nor­way and Switzer­land. The U.K.’s Infor­ma­tion Commissioner’s Office (ICO), which over­sees pri­va­cy rules and helped craft GDPR, also has his­tor­i­cal­ly oper­at­ed in rel­a­tive pri­va­cy har­mo­ny with non-EU nations.

Specif­i­cal­ly on GDPR, the reg­u­la­tions will apply across the board if your busi­ness han­dles data about an EU cit­i­zen, regard­less of where you are based. If a U.S.-based com­pa­ny has data about a Euro­pean, it needs to com­ply with GDPR and Pri­va­cy Shield.

Giv­en how entan­gled Europe’s economies have become over the past 40 to 50 years, the vast major­i­ty of busi­ness­es will find it impos­si­ble to dis­tin­guish between the data they hold on U.K. nation­als and that of EU nation­als.

Busi­ness­es back Pri­va­cy Shield

The most like­ly out­come, at the moment, will be for the U.K. to adopt Pri­va­cy Shield in full and/or pass some­thing exact­ly the same through our par­lia­ment. The same goes for GDPR. Busi­ness­es of all sizes are lob­by­ing for this action.

In clos­ing, it’s note­wor­thy that the ICO issued a state­ment imme­di­ate­ly fol­low­ing the Brex­it vote. It speaks for itself and bears repeat­ing:

If the UK is not part of the EU, then upcom­ing EU reforms to data pro­tec­tion law would not direct­ly apply to the UK. But if the UK wants to trade with the sin­gle mar­ket on equal terms, we would have to prove ‘adequacy’—in oth­er words UK data pro­tec­tion stan­dards would have to be equiv­a­lent to the EU’s Gen­er­al Data Pro­tec­tion Reg­u­la­tion frame­work start­ing in 2018.

With so many busi­ness­es and ser­vices oper­at­ing across bor­ders, inter­na­tion­al con­sis­ten­cy around data pro­tec­tion laws and rights is cru­cial both to busi­ness­es and orga­ni­za­tions and to con­sumers and cit­i­zens. The ICO’s role has always involved work­ing close­ly with reg­u­la­tors in oth­er coun­tries, and that would con­tin­ue to be the case. Hav­ing clear laws with safe­guards in place is more impor­tant than ever giv­en the grow­ing dig­i­tal econ­o­my, and we will be speak­ing to gov­ern­ment to present our view that reform of the UK law remains nec­es­sary,”

Paul Keane, IDT911 Euro­pean Oper­a­tions Man­ag­er, con­tributed to this essay.

Read more sto­ries about data pro­tec­tion laws:
Pri­va­cy Shield aims to bridge EU-U.S. dig­i­tal pri­va­cy gap, but ques­tion marks remain
Safe Har­bor rul­ing sends big rip­ples through U.S. com­pa­nies
Dev­il is in the details for Canada’s data breach dis­clo­sure law