As a result of Thursday’s historic referendum, the United Kingdom will be leaving the EU. The decision will have a profound effect on many areas, including the global economy, trade, immigration and, potentially, the continued unity of the UK. The United Kingdom won’t be departing immediately, though – it must invoke Article 50 of the Lisbon Treaty and then negotiate its withdrawal with the European Council, a process that may take as long as two years once Article 50 is invoked. Multinationals and companies that are thinking about establishing a presence in the UK and/or EU will be watching those negotiations closely in order to determine how the UK’s change in status will affect business going forward.
One area of concern, among many, is privacy and data protection. The UK’s current data protection regime was structured to comply with the guidelines set out by Directive 95/46/EC, commonly known as the EU Data Directive, which establishes certain baseline standards EU Member States must adopt as laws in order to protect personal data. In 2018, the Directive will be replaced and EU data protection laws will be overhauled by the General Data Protection Regulation (GDPR), which will directly impose a uniform data protection law regime on all EU members. However, now that the UK is set to leave the EU, these EU-wide data protection measures may no longer apply in the UK. Accordingly, there are several key privacy and data protection issues to watch as the UK’s exit negotiations proceed.
- Will the UK continue to follow the standards set out by the Directive and, beginning in 2018, the GDPR? In theory, once the UK leaves the EU and no longer has to follow the Directive or GDPR (whichever is in force at the time of exit), it could pass its own unique data protection laws that do not necessarily comply with the EU’s corresponding measures, or it could simply not amend its current laws to conform to the GDPR. However, a complete or otherwise significant overhaul of the UK’s current data protection laws not only would be a formidable task, but could risk the EU branding the UK – like the US – as a jurisdiction with “inadequate” privacy laws, which would impact cross-border transfers of personal data from the EU to the UK (see below). On the other hand, the UK could adopt the approach of Norway, Iceland, and Liechtenstein, which are not EU Members, but instead are European Economic Area members that comply with EU data protection measures. The UK could also follow non-EEA Member Switzerland’s example and maintain data protection laws that are similar to those in the EU. Either of these latter approaches would help ensure that the UK’s data protection laws remain reasonably harmonious with the law in the EU, thereby enabling an easy path for data to leave the EU and arrive in the UK.
- How will cross-border transfers of data from the EU to the UK proceed? One of the advantages of the Directive (and the GDPR, once it comes into force) is that it standardizes data protection law across the EU to a significant degree, meaning that personal data can be transferred between EU Members like France and Germany because there is not much concern for the continued legal protection of that data once it crosses a national boundary. If, upon leaving the EU, the UK decides not to comply with the Directive or GDPR (again, whichever is in force at the time), seamless cross-border transfers of personal data from the EU to the UK could be jeopardized. As mentioned above, however, the UK could negotiate an approach through which it would maintain laws that comply with the principles of the Directive and GDPR, which would in turn allow the UK to earn the all-important “adequacy” determination that would allow personal data to flow freely between the EU and the UK.
- How will cross-border transfers of data from the UK to the US proceed? The EU has adopted certain mechanisms, including standard contractual clauses (model contracts) and binding corporate rules (BCRs), that allow entities to legally transfer personal data from the EU to the US. As mentioned above, the EU considers US privacy laws to be inadequate, and these mechanisms were adopted as a means of ensuring that personal data of EU data subjects will remain protected once transferred the US. Although the Safe Harbor program was invalidated last year, the EU is considering adopting the Privacy Shield, which is designed to further ease transfers to the US (although it has not yet been implemented). But now that the UK has decided to leave the EU, the question is whether companies will be able to continue to use mechanisms such as model contracts and BCRs to transfer data from the ex-EU Member State to the US. For those companies that already have model contracts and BCRs in place to legitimize data transfers from the UK to the US, those instruments will have to be revised to reflect the change in the UK’s status once the UK officially leaves the EU.
Despite the potentially serious implications detailed above, the sky may not necessarily be falling when it comes to privacy and data protection in the wake of Brexit. As companies in the US have learned, even those entities based in jurisdictions with “inadequate” privacy laws have to comply with EU data protection laws one way or another – generally through model contracts and BCRs – in order to transfer data from the EU to a non-EU jurisdiction. Simply put, the extraterritoriality of the EU’s data protection laws make them impossible to ignore for those companies that wish to have any sort of business contact with the EU. In all likelihood, the UK will recognize the same, and EU data protection laws will remain highly influential in that jurisdiction.
At the moment, however, there are more questions than answers about the future of the UK’s relationship with the EU, and companies should keep a close eye on the upcoming negotiations between the UK and the European Council in order to determine which way the winds are blowing. Be sure to check back here for updates on how those negotiations proceed as they relate to privacy and data protection issues.