Many of you know by now that the EU’s General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used. The goal is to harmonize, modernize and strengthen data privacy and processing policies across Europe. GDPR replaces Directive 95/46/EC (the ‘Data Protection Directive’) which is out of date due to evolving technology standards.
Overall, the EU wants to give people (the data subject) more control over how their personal data is used, bearing in mind that now many companies like Facebook, Google, and many more swap access to the data in exchange for the use of the company’s service, this keeps the service at no cost to consumers and has enabled the development of the robust Internet economy. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy and secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year). GDPR requirements have been enforced since May 25, 2018. It requires organizations to diligently protect personal data, as well as provide proof about how that data is protected. GDPR sets a high standard for consent, which will have a huge impact on the marketing industry. Customers will need to be given choice and control over how their data is handled.
For UK brands, of course it has meant special treatment for the PII of its domestic (resident) citizens, as well as European citizens resident in other countries; because, as we all know, U.K. citizens are also European citizens. However, following the UK’s decision to leave the bloc, the government will be actioning its plans to split from the EU, which is provisionally set at 29 March 2019. Since GDPR is a European Union law, and the UK will no longer be part of that political body (of course, physically, the UK is still part of Europe), this has raised some questions. You might be wondering how Brexit will, if at all, change how data is collected, processed and used. Here’s my take on this issue:
1. What effect, if any, does Brexit have on GDPR? Brexit is still expected to take at least two (2) years to take full effect— meaning there should be a relatively orderly transition creating a cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. Another reason is the extraterritorial reach of the GDPR. UK companies continuing to do business with the EU after Brexit will need to comply with the Regulation to avoid infringements.
2. After Brexit, can I continue to transfer data from the EU to the UK? Right now, being a part of the EU, the UK is NOT a third party country. However, if Brexit does occur, the UK would be considered a third party country and would have to follow the rules for moving data to a third party country—just as the U.S. does now. After Brexit, companies can continue to transfer data to the UK provided that the UK is recognized by the European Commission as a country offering adequate protection. As it stands today, the U.S. is not recognized by the EC.
*There are three possible outcomes in relation to the UK’s application for an adequacy decision:
- No deal: The UK becomes a third country to which EU member states may not transfer personal data unless there is a legal data transfer solution in place.
- Adequacy decision: The UK is recognized as an approved country to which personal data may freely be transferred from EU member states. However, the ICO would not participate in the European Data Protection Board, which could result in an inconsistent approach between the ICO and European regulators. This is more likely to occur if needed.
- Enhanced adequacy decision: The UK is recognized as an approved country and the ICO would participate in the European Data Protection Board. Needless to say, this proposal by the UK government has met resistance from the EU. This would mean not only that the UK would be certified as a safe country for data transfer purposes, but also that the UK’s Information Commissioner would participate in the European Data Protection Board, responsible for the application of GDPR. This is unlikely due to political reasons. The E.U. has not been especially open thus far to the suggestion that the UK should be permitted to enjoy the fruits of membership while no longer being a member.
3. What possible GDPR-related complications could result from Brexit? The most common problem faced by the majority of UK-based organizations is that they already possess personal data from individuals living in the remaining 27 EU member states. If those responsible for data collection at business do not fully understand the new guidelines and utilize this data in an unlawful manner, the consequences may be devastating.
If the UK is denied basic adequacy decision — it’s still not the end of the world. There have always been various mechanisms by which the data in question can be transferred from EU storage to non-approved third countries, like the U.S. has. For example, there are standard contractual clauses, binding corporate rules and the EU-U.S. Privacy Shield Program. Standard contractual clauses might be the most relevant in this case — they are clauses governing data transfer adopted in advance by the European Commission, and not requiring approval each time they’re used and what is used heavily now for those in the U.S. wishing to transfer and process data from the EU to the United States.
When it comes to data protection legislation, the UK has been protecting data for decades. All this stretches back to the UK Data Protection Acts of 1998 and 1984. This means that the UK should be able to qualify for an “adequacy decision” from the European Commission. As I said above, such a decision would certify the UK as a third country with an adequate level of data protection in place through its domestic legislation or treaty or other international commitments. Also, the good news is that the preparation UK brands should already have undertaken in preparation for GDPR should be in good standing.
The Brexit vote is now rescheduled for January 15. Some minor details of the deal may have changed, but odds still favor Parliament rejecting it, in which case Prime Minister Theresa May will have to pull a quite different deal out of thin air, or postpone the departure date, or leave with no negotiated deal at all.
eec Chairman Emeritus
Chief Privacy & Security Officer; Return Path, Inc.