In the referendum on June 23 with voter turnout exceeding 70%, voters in the UK decided 52% to 48% to leave the European Union. The exit of the UK from the EU has been coined Brexit (Britain and exit). Under the EU, a member may exit subject to Article 50 of the Lisbon Treaty which gives the UK and the EU two years to negotiate the terms of the UK’s exit.[i]
Data Protection and Brexit
Throughout the near-term and until the UK effectuates its exit from the EU, the UK will continue to operate under existing EU laws and the new General Data Protection Regulation (“GPDR”) with mandatory compliance by June 2018 will shape the way that UK firms handle personal data.[ii] Consequently, it is anticipated that UK firms will be required to implement the GPDR policies concerning the protection of data for EU citizens. This is echoed by the new Information Commissioner for the UK, Elizabeth Denham. Denham openly advocates for the UK to move forward with the new GPDR regulations irrespective of the impending Brexit.[iii] Consequently, in many respects technology firms in the UK have some assurance that the UK will move forward with GPDR, however, there is still some risk. As Brexit follows closely on the heels of the European Court of Justice’s ruling that the EU/US safe-harbor agreement was invalid due to in large part to the lack of data privacy protections for EU citizens.[iv] Which is interesting to note since Britain and Ireland were both largely supportive of the Safe Harbor agreement; whereas France and Germany had been pushing for more stringent privacy controls to safeguard their citizens’ data.[v] Consequently, it would seem that while the replacement for Safe Harbor is being negotiated the UK will likely have a very keen interest in both the direction as well as the outcome since it often finds itself closely aligned with its ally across the Atlantic.
General Data Protection Regulation
The GPDR changes a number of things, the highlights are as follows: Personal data is expanded to include IP addresses and online identifiers and companies must have explicit consent to use this data. Furthermore, citizens will be more readily able to ascertain which companies are storing their data, and how their data is being used. GPDR also introduces the concept of data portability which allows a person to migrate their data between and amongst companies. This also includes a duty for companies to advise when personal data is exposed (hacked) and upon request, personal data must be deleted. Along with duties comes liability and companies that suffer data breaches can face fines of up to €20 million.[vi]
EU-US Privacy Shield
Following the ruling against the existing safe harbor agreement, the US and EU put together what is being termed as the Privacy Shield. Under the Privacy Shield proposed framework, any US company that receives personal data from the EU must choose from one of the following cross-border transfer mechanisms: (1) typical contractual clauses, (2) binding corporate rules (e.g. intercompany/affiliate data transfers), or (3) the Privacy Shield framework.[vii] Similarly, any EU company that transfers data to a US company must ensure that one of the three aforementioned schemes are utilized prior to a data transfer. Any transfers conducted outside these mechanisms would be deemed illegal. The Privacy Shield itself has several critical elements:
- Contractual requirements for onward transfers of personal data to third parties: companies that transfer personal data to any third party must have specific contract provisions mandating that safeguards continue to persist for personal data even after the transfer and that the transferor retains control over the third parties use of the personal data;
- Right to Modify Personal Data: the data owner has a persistent right to correct, amend, or delete inaccurate personal data or personal data that has been accessed in an unauthorized manner; further companies may not charge excessive fees when a user exercises their rights within this;
- Persistent Contractual Obligations: under this, any downstream party (e.g. recipient) of data must adhere to all of the principles and rights afforded a person with respect to their personal data;
- Opt-Out Rights: where personal data is either disclosed to a third party or when the data’s use is for a materially different purpose than the original agreement, the subject has an option to opt-out (to include modifying use for direct marketing purposes);
- Dispute Resolution: there are a very specific set of steps and avenues for redress that may be pursued when a citizen asserts that a violation of the Privacy Shield has occurred;
- Ongoing Compliance Monitoring: the US Dept. of Commerce is tasked with continuous monitoring to ensure that there is full compliance amongst US companies with the Privacy Shield provisions;
- Restrictions on Bulk Collection: this was one of the leading criticisms of the EU-US Safe Harbor agreement following the revelations by Edward Snowden. Within this, bulk collection is expressly forbidden except in cases where selective collection is impractical and even in those outliers, minimization procedures must be effected to ensure that access to data is for specific purposes only;
- Establishment of a Privacy Shield Ombudsman: this role will be filled by a person designated by the Secretary of State and will utilize additional State Department personnel as needed to ensure that this role is carried out in the absence of any influence or involvement by the Intelligence Community;
- Annual Periodic Reporting and Assessment: data protection authorities from both the EU and US Dept. of Commerce will conduct periodic, annual reviews of the Privacy Shield framework to ensure compliance and to assess and advise of changes that should be implemented.[viii]
What path will the UK take?
Based on the fact that Brexit is going to take a minimum of two years, it seems as though the UK will have no choice but to comply with the GPDR regulations that take effect in 2018. Having done so, it seems that moving away from those and trying to adopt an agreement such as the Privacy Shield would result in a cost benefit analysis for which the most efficient solution may likely be to merely continue under the GPDR. However, as the UK continues to assert independence from the concept of the EU, it may need to find and validate a competitive advantage which could potentially be achieved by moving away from the GPDR and into the Privacy Shield framework. While the negotiations are just entering their nascent stage, it will be important for EU and UK privacy interests that the terms of the GPDR or a Privacy Shield like agreement be fully ironed out. Once outside the UK for example, the Data Protection Act would no longer denote the UK as a “safe” destination for data since the UK would be external to the European Economic Area. Thus, either the negotiations under which the UK leaves the EU will have to include some of these provisions or the UK could be folded into or create its own Privacy Shield framework within which it could continue to operate.[ix]
Irrespective of the approach that the UK takes; it seems clear that data protection is going to be a topic of interest during the negotiations and citizens and companies will have a vested interest in the outcome. Depending on how this moves and on what is implemented, companies in the UK may be merely on a level playing field with EU companies or they may be able to bargain for a comparatively better position which affords UK companies the ability to differentiate themselves either from a cost or a services perspective. Meanwhile, the UK’s slow shift towards some of the US philosophies and their support for the previous Safe Harbor agreement may indicate that the UK is interested in adopting or becoming a partner in the new Privacy Shield agreement. The last thing the UK wants is a competitive disadvantage and depending upon how they position themselves and on what other options are “on the table” will ultimately decide which way the UK chooses to move forward.
[i] Brian Wheeler and Alex Hunt, Brexit: All you need to know about the UK leaving the EU, BBCNews, available at http://www.bbc.com/news/uk-politics-32810887 (Oct. 3, 2016) (The two-year time period begins once Article 50 is invoked and negotiations start).
[ii] Nick Heath, Brexit: 5 Ways the UK leaving the EU will affect tech firms, TechRepublic, available at http://www.techrepublic.com/article/brexit-5-ways-the-uk-leaving-the-eu-will-affect-tech-firmsect-tech-firms/ (Jun 24, 2016).
[iii] Adrian O’Connell, Information Commissioner calls for post-Brexit Britain to implement EU data rules, Irish Legal News, available at http://www.irishlegal.com/5462/information-commissioner-calls-for-post-brexit-britain-to-implement-eu-data-rules/ (Oct. 3, 2016).
[iv] Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, The New York Times, available at http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0 (Oct. 6, 2015).
[vi] Joe Curtis, EU Passes GPDR laws that require companies to drastically improve their data privacy policies, ITPro, available at http://www.itpro.co.uk/data-protection/26365/your-business-must-prepare-today-for-2018-eu-data-protection-laws (Apr., 15, 2016).
[vii] Chanley T. Howell, et al., Safe Harbor Replacement EU-US Privacy Shield Approved, The National Law Review, available at http://www.natlawreview.com/article/safe-harbor-replacement-eu-us-privacy-shield-approved (Jul., 12, 2016).
[ix] Toni Vitale, Brexit and Data Protection – Q&A, Lexology, available at http://www.lexology.com/library/detail.aspx?g=45fa1c0a-54c4-465e-a752-c27a80a6736a (Jun., 30, 2016).