What kind of impact will Brexit have on your organization’s privacy practices?
The United Kingdom held a much anticipated referendum on June 23, 2016 to decide whether or not to continue its membership in the European Union. In a close vote, the UK opted to withdraw its membership and leave the EU. Companies operating in the UK are now faced with the question of what needs to be done to make sure they’re still in line with data protection laws so there’s no disruption to business operations.
Before getting too antsy over new or changing data protection laws, it’s important to keep in mind Britain will probably need a minimum of two years to complete its withdrawal from the EU.
After the vote, Britain’s next move is to follow the steps in Article 50 of the Treaty on European Union and provide formal notice, which will trigger a two year transition period. With UK Prime Minister Cameron resigning, it’s expected that notice will be served once his replacement is in place.
By leaving the EU, Britain takes on the burden of rewriting many of its laws, including standards relating to privacy and data protection.
Data Protection Changes
In terms of data protection requirements, any changes to the standards won’t be felt immediately. With the EU’s General Data Protection Regulation (GDPR) scheduled to become law on May 25, 2018, chances are the UK will have some overlap under the GDPR.
Obviously, businesses will want to trade with the EU, so the UK will most likely look to implement a data protection framework similar to the GDPR. In order for data to continue to flow from the EU to the UK, they will need to be recognized by the EU as an “adequate” jurisdiction.
A stated by the UK Information Commissioner Office, “If the UK wants to trade with the Single Market on equal terms … UK data protection standards would have to be equivalent to the EU’s GDPR framework starting in 2018.”
At first glance, it appears the key issue for the UK to address in their data protection standards will be mass surveillance. As previously noted, the Safe Harbor framework between the EU and US collapsed based on Snowden’s revelations about the NSA’s mass surveillance tactics.
In those same documents, Snowden shed light on the mass surveillance practices of the UK’s GCHQ intelligence agency. The UK government will have to prove that its current practices don’t infringe on the human rights of EU citizens
and that they provide “essentially equivalent” safeguards for EU citizens’ information as EU member states. But as we’re seeing with the US-EU Privacy Shield, many privacy and surveillance changes will be needed to meet this standard.
In the end, data protection standards aren’t likely going to be affected… at least not right away. The two year withdrawal process gives privacy professionals a good window to become familiar with and prepare for any changes.
It sounds like we’re going to see another Safe Harbor situation. The UK is going to have to work with the EU to develop a data protection framework that will allow free flow of data from the EU.
For the time being, organizations should continue preparing for the GDPR to take effect. The best approach is to make sure your organization has a data protection framework in place that’s aimed at meeting the standards set out in the GDPR.