Britain’s decision to leave the EU poses questions about the future of data protection law, finds Ben Walker
It was a seismic morning. On 24 June, Britain, against all expectations, awoke to find it had voted in a referendum to leave the European Union. The big arguments over whether the decision was right – economically, politically, socially – won’t be settled for several years. Few on that morning were thinking of the details. But the details matter, not least in the world of data and its place in cyberspace.
In April 2016, the European Parliament approved the details of the General Data Protection Regulation (GDPR). The new rules are designed to protect consumer rights as well as clarifying personal data laws for businesses in the EU and those that trade with it.
Brexit, says Robert Cattanach, a partner at international law firm Dorsey & Whitney, places the UK’s integration with the regulation – and the rest of the continent – under threat.
“The referendum result creates chaos on at least two fronts regarding privacy issues,” he says. “The UK will not now automatically implement the GDPR, which was designed to normalize and harmonize privacy protection requirements, processes, and governance throughout the EU.”
Cattanach, who has worked previously as a trial attorney for the United States Department of Justice, fears that the referendum will give the UK the opportunity to wriggle free of a regulation that it was never very fond of in the first place. “Britain had not been a particularly ardent proponent of the GDPR,” says Cattanach. “And it appears likely that some of the provisions that are considered more onerous may not be embraced in what will now likely be a standalone regulatory scheme in the UK.”
So what are the consequences for the continent? Without catch-all regulations covering all its major economies, argues Cattanach, data rights management could become more complex.
“It raises the spectre of whether the UK’s privacy protection provisions will be deemed sufficiently robust by the EU to merit a finding of ‘adequacy’ that would allow automatic transborder transfers of personal information, as is currently the case,” Cattanach says. “The UK may well be forced to resort to the same sort of burdensome, binding corporate rules or model clauses now being required of most non-EU countries in order to transfer such information cross-border.
There is a lot left to be determined: the timing, shape, and scope of the UK’s Brexit deal remains unclear. “But bureaucrats in Brussels are likely to take a particularly dim view of Brexit,” says Cattanach. “They may retaliate by finding the UK’s privacy regulations not sufficiently ‘adequate’ to allow it to continue to mesh freely with the rest of the EU from a privacy perspective.
“This would create enormous logistical difficulties – and impose significant expense – on virtually all companies in the UK that currently transfer personal information seamlessly between the UK and the rest of the EU.”
Yet other experts are more sanguine. “You might think that Brexit could make this new legislation null and void,” says Giulio Ricci (see panel, left), chairman of computer hardware specialist The ITAD Works. “But all indications are that the UK will be looking to toe the line on the rules, to ensure easy and compatible business and trading rules with the EU. In fact, organizations outside the EU are still subject to the jurisdiction of the EU regulators just by collecting data concerning an EU citizen.”
Businesses working in or trading with Europe should get ready, says Ricci. Firms that fail to comply face fines which, for those in the financial sector, can reach up to 4% of the organization’s turnover.
“In many ways, preparing for the new GDPR involves using common sense,” says Ricci. “We all know that sensitive data has never been easier to obtain or disseminate electronically, while the risks to it have never been greater. A responsible organization will need to recognize the risks and ensure steps are taken to prevent and mitigate any potential problems.”
What is the GDPR?
The General Data Protection Regulation was created to regulate the progression of personal data, and is part of the EU privacy and human rights law. It is designed to harmonize the current data protection laws in place across member states and, as it is a regulation rather than a directive, it will be directly applicable to all EU member states without the need for national implementing legislation.
A key part of the GDPR’s remit is protecting personal data. This is defined as any information relating to a person who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. Interestingly, there is no distinction between an individual’s private, public, or work roles.
The legislation will bring in a large number of changes. Organizations will need to consider it carefully and make sure they are compliant. Issues which are attracting particular focus include consent, increased administrative requirements and the need to provide a full audit trail, data exports, and the new obligations on data processors.
— Giulio Ricci, chairman, The ITAD Works