There's more to the United Kingdom's pullout from the European Union than British nationalism at work.
Now that the shock has worn off, businesses are starting to assess the impact of the United Kingdom’s historical decision to leave the European Union, and one area of particular concern for many businesses is privacy and data protection.
U.S. companies transfer a staggering amount of data across the Atlantic daily. Changes to data-privacy obligations in the wake of the Brexit vote will directly impact how U.S. companies process international personal data and structure operations, and companies could face penalties for non-compliance under both EU and UK laws.
Businesses can at least be reassured that there will not be any immediate changes. Formal withdrawal will not begin until the UK invokes Article 50 of the Lisbon Treaty, and the UK government has indicated this likely will not happen until a new Conservative Party leader is elected in September.
Once Article 50 is invoked, it will start a two-year period of negotiations between the UK and EU over terms of exit and the UK’s new relationship with the bloc.
An independent UK will need to decide how to structure its data-protection regime. The UK’s current law, the Data Protection Act, is from 1998 and is outdated. In order for the UK to continue to trade data and do business with EU member countries on equal terms post-Brexit, any UK data-protection framework would need to have data-protection standards that are considered “adequate” or equivalent to the EU’s.
Meanwhile, the EU’s new General Data Protection Regulation, which significantly strengthens the bloc’s privacy standards, is scheduled to go into effect May 2018.
Based on the timeframe for the UK’s withdrawal from the bloc, the regulation should be in place before the UK formally exits the EU, which means that the UK and any company that operates in the UK will need to comply with the requirements under the GDPR, at least for a period of time.
Post-Brexit, if the UK decides to join the European Economic Area or otherwise negotiate access to the EU single market, the UK would be required to implement data-protection standards equivalent to that regulation.
While any new UK data-protection regime would likely be similar to the regulation, it may not be identical. The UK prides itself on being more business-friendly than certain other EU member states. The UK may attempt to strike a balance between being friendly enough to attract outside investment and strong enough to meet EU standards for adequate protection.
Additionally, the EU-U.S. Privacy Shield, which governs EU-U.S. data flows and replaces the U.S.-EU Safe Harbor agreement that was invalidated last year, is being finalized.
The UK will fall under the Privacy Shield until it completes its withdrawal from the EU. However, the interesting question is what the UK decides to do about the Privacy Shield post-Brexit. The UK could explicitly approve the Privacy Shield as an adequate means of data transfer from the UK to the U.S., or it could establish its own mechanism for UK-U.S. data transfers. Other EU data transfer mechanisms that are critical to the free flow of data, such as binding corporate rules and model contracts, will not be directly applicable to the UK once it leaves the EU.
Accordingly, the country will need to establish its own data-transfer systems or adopt and approve the EU’s mechanisms to ensure that international companies can continue to seamlessly transfer data.
It is likely that the status of data privacy obligations and requirements for international data transfers will be uncertain for a period of time. And once the dust settles, the UK may have a regime in place that differs to some degree from the EU’s.
To prepare for whatever lies ahead and to ready your company’s data management, it is more important than ever that companies know what data they have and where the data is flowing, not only between the U.S. and EU but also between the U.S. and UK. With globalization and increased off-shoring of business operations, even companies that currently only operate domestically could still encounter consumer and employee data that is transferred from overseas.