As the entire world knows, the United Kingdom has voted by a narrow majority to leave the European Union (“Brexit”). But the Brexit process will take time, and the implications for businesses will also unfold over time. In this blog post, we take a look at the potential privacy and data security implications of Brexit.
No Changes in the Short Term
For the time being, the UK remains a member of the EU; and the Data Protection Directive (“Directive”) and e-Privacy Directive as currently implemented in UK law continue to apply. The Directive will be replaced by the EU General Data Protection Regulation (GDPR) in May 2018, and in the coming period the e-Privacy Directive will be updated to reflect the changes that the GDPR will bring. Given the time that will elapse before Brexit actually occurs, it may well be the case that the GDPR will come into force before the UK formally exits the EU.
As the GDPR has the form of an EU regulation, it will be directly applicable in all EU Member States, and no steps need to be taken by the UK for it to be implemented in the national law of the UK. Further, it may well be the case that the UK will have to implement the amended e-Privacy Directive into UK law before Brexit takes place. Until the UK formally exits the EU, data transfers between the UK and the other countries in the EU may continue to occur because the EU data transfer rules do not apply to transfers of personal data within the EU.
Changes After Brexit
The situation will change when UK leaves the EU. From that moment on, the GDPR will no longer be applicable in the UK. The national laws implementing EU directives (including the e-Privacy Directive) will, however, remain in force until they are amended or repealed. Thus, the UK will become a “third country” under the data transfer rules in the GDPR. In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an “adequate level of protection” for such data, unless certain conditions have been met.
There are three options under which the UK may obtain the required “adequacy status,” with the third being the most likely:
• Becoming an EEA member: The UK may (like Norway, Liechtenstein and Iceland) become a member of the European Economic Area by becoming a signatory to the EEA Agreement. Under Article 7 of the EEA Agreement, the UK would still need to accept being bound directly by relevant EU laws relating to the four freedoms, including the GDPR. This option is unlikely to be pursued by the UK government in the form adopted by Norway, Liechtenstein and Iceland, in view of the fact that the UK would need to agree to be bound by many of the rules of the EU that have been unpopular with Brexit supporters, including the free movement of people.
• The Swiss solution: Switzerland is not part of the EU or EEA (although it has bilateral agreements with the EU allowing access to the single market). Although not bound by it, Switzerland has fully implemented the Directive into its domestic legislation and, on that basis, has received an “adequacy finding” from the European Commission. Switzerland has already indicated its wish to update Swiss legislation to reflect the application of the GDPR and retain its adequacy status. Also, although Switzerland is not subject to the jurisdiction of the European Court of Justice (ECJ), the ECJ’s case law has had a significant influence on Swiss legislation.
For instance, after the ECJ struck down the EU-US Safe Harbor Decision of the Commission, the Swiss also declared that the Swiss-US Safe Harbor did not provide a sufficient legal basis for exporting data from Switzerland to the U.S. As with becoming a member of the EEA, the Swiss model would require the UK to adopt the GDPR as it stands now and any further EU legislation on data protection, without having any right to participate in EU rule-making. This option is unlikely to be pursued by the UK government in the form adopted by Switzerland because it would entail the UK agreeing to be bound by many of the rules of the EU which have been unpopular with Brexit supporters, including the free movement of people.
• Full adequacy finding: Under this option, he UK would implement its own data protection laws and would then request the Commission to issue a decision that its legal regime is “adequate” when assessed against the standard set by EU data protection law. At first glance, this seems to be the preferred option because it enables the UK to relax some of the rules in order to facilitate trade (as it advocated in the negotiations over the GDPR). However, if the UK wishes to obtain a quick adequacy decision to continue to facilitate data transfers between the UK and the EU also upon exit, it will likely have to implement provisions that are close to the GDPR. Any other approach could set the UK back in getting a quick adequacy decision.
The EU may well be averse to any softening of the rules that would give the UK an advantage over EU Member States, or enable some sort of forum shopping. It is therefore not surprising that the UK Information Commissioner’s Office (ICO) has already issued a statement that UK data protection standards would have to be equivalent to the GDPR. We note that the UK has been a long-standing advocate of data protection (e.g., it had a law more than 10 years before the Directive was adopted) and there is solid public awareness of privacy laws. The UK has further ratified Convention 108 (which sets core principles for data protection) as well as the European Convention on Human Rights (“ECHR” – which, in article 8, provides for the right to privacy), and the UK is subject to the European Court of Human Right’s competence. The ICO is a member of the Global Privacy Enforcement Network (GPEN), intended to strengthen cross-border information sharing and co-operation in cross-border enforcement among privacy authorities around the world. This all seems to point into the direction of adequacy.
We highlight, however, that the recent Schrems judgment of the ECJ may also have implications for the UK. In the Schrems judgment, the ECJ invalidated the decision of the Commission that approved the Safe Harbor Framework facilitating data transfer to U.S. companies that adhered to this framework, because the privacy of European citizens was not considered to be adequately protected (in short) because the powers of the U.S. intelligence services went beyond what was strictly necessary and proportionate to the protection of national security and individuals did not have adequate means of judicial redress to protect their privacy. The concern that the intelligence services have overly broad surveillance powers may well also apply to the UK intelligence services. More clarity may come from three cases pending before the European Court of Human Rights, which were instigated by the UK Bureau of Investigative Journalism and a number of civil rights organizations, and claim that the generic surveillance powers of the UK intelligence services violate Article 8 of the European Convention on Human Rights.
In the short term, until the UK ceases to be a member of the EU, nothing changes and data transfers may continue as they currently do.
Whichever of the three options the UK ultimately follows to obtain adequacy status, the end result will be UK data protection legislation that is very much aligned with the upcoming GDPR and other EU privacy rules.
Next Steps for Businesses
• While it is expected that the Commission will eventually confirm “adequacy status” for whatever data protection laws the UK puts in place post-Brexit, it is possible that this may not have been done at the precise time of exit. This situation would require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, such as the entering into of standard contractual clauses (SCCs). Controllers and processors can also “adduce appropriate safeguards” for their intra-group transfers by adopting binding corporate rules (“BCRs”). In any case, in the aftermath of the Schrems judgement, we see a trend of companies moving to implement BCRs in order to be less dependent on the adequacy decisions of the Commission and the negotiations of the EU and US in respect of the terms of the new Privacy Shield.
• Given the lead time it takes to implement the GDPR requirements into business processes, businesses in the UK should continue their GDPR readiness programs. As indicated above, the rules that the UK will ultimately implement in all likelihood will closely resemble the GDPR. Note further that the GDPR may continue to apply to the data processing activities of UK companies where they offer goods or services to citizens in other EU countries, or otherwise monitor their behavior. The same will apply to UK companies with offices in other EU countries operating central data processing systems.
• The ICO has acted as the lead data protection authority (“DPA”) in approving BCRs in many instances. After the exit, the ICO will no longer be authorized to act as lead DPA. Companies with BCRs where the ICO is lead DPA will therefore have to approach another EU DPA to act as their lead DPA. Businesses applying for BCRs and having to select a lead DPA and co-leads should consider taking this into account.
* * *
For more insights regarding the potential legal implications of the recent Brexit vote, please see our MoFo Brexit Briefings page on the Morrison & Foerster website.