BREXIT BRIEFING: What changes for data protection legislation in the post-Brexit scenario and waiting for the full entry into force of the new GDPR?
On June 23rd, 2016, after an unprecedented referendum in contemporary history, the United Kingdom has voted to leave the European Union, therefore triggering a two year unilateral exit negotiation period during which the UK shall seek to effectively rethink its global position and its relationship with the EU.
In the meantime, although the effects of the so-called Brexit will still be quite unpredictable, such historical change will definitely impact on the everyday life of millions of European individuals, businesses and public institutions. Even if premature, some preliminary considerations on the consequences of Brexit on some specific sectors can already be discussed.
Purpose of the present Memo is, in fact, to imagine what could be the most likely effect of Brexit on current privacy legislation, on the internet and the digital economy as we know it and, most importantly, on the future entry into force of the new EU Regulation (GDPR) on data protection and free circulation of personal information throughout the continent.
In particular, main focus of this Memo will therefore be on: (i) the subjective consequences of Brexit on data protection enforcement, with special reference to the role of the Information Commissioner’s Office (ICO); (ii) the substantial consequences of the Brexit aftermath on a possible UK exclusion from the One-Stop-Shop mechanism; and (iii) any possible difference which might occur between the GDPR’s new sanction regime and the future UK legal framework on data protection.
- The subjective consequences of the post-Brexit scenario for data protection
The processing and transfer of personal data in the UK is currently regulated by the Data Protection Act of 1998, implementing EU Privacy Directive 95/46/EC, as well as by several other laws addressing the issue of data protection according to relevant EU standards.
Besides Brexit and according to ICO’s spokeperson, it is reasonable to believe that those laws will remain unchanged at least until exit negotiations will have outlined a new status of the UK outside the EU. In fact, as a preliminary note, it can be said that there is no evidence that current national legislation and jurisprudence on privacy and data protection, as drafted in accordance with EU founding treaties and norms, shall in any case lost or “blown away” just because of the fallout of a possible post-Brexit scenario.
Furthermore, this is likely not to affect at all current British legislative standards on privacy and data protection for two main reasons: the first has to do with the UK trying not to lose access to the European Economic Area and the future Digital Single Market; and secondly, because without European data protection tools and guarantees many companies may seriously start considering moving their headquarters from London to neighboring Ireland or even back to the continent.
In this context, the role of a UK national data protection authority may change significantly over time: weakened and resized by the post-Brexit scenario, in fact, from a technical point of view, ICO will not take part in the upcoming series of crucial discussions on the implementation and application of the new GDPR anymore, as well as to those on the definition of the mechanisms regulating the future Digital Single Market.
If put in a position similar to that of an EFTA member (the European Free Trade Association, including Switzerland, Norway, Iceland and Liechtenstein), the UK would not only lose its full membership within Article 29 Working Party but also any possibility to count in the future European Data Protection Board.
Finally then, it has to be said that the weight of the referendum vote and its consequences could affect the uncertainties relevant to future EU – UK negotiation talks but also the role of UK independent authorities as reliable counterparts in the European debate on the future of privacy legislation in the continent and its pros and cons.
- Substantial consequences of Brexit and their legal implications
Among some of the major concerns of the post-Brexit data protection scenario, the functioning of the so-called One-Stop-Shop seems likely to be a top one, especially when considering the absence of any formal recognition to ICO as part of the mechanism as such.
Although the One-Stop-Shop represents a source of general uncertainty for European legislators and national DPA since the first versions of the GDPR, it is still unclear how its scope will extend to the British legal system and whether a simple update of the Data Protection Act 1998 will be sufficient to implement it
Aside of the two-year time granted to Member States for adapting to the entry into force of the GDPR, coincidentally about the same time the UK will have to negotiate their exit strategy from the European Unions, British might be compelled to take a view of data protection partially in contrast with current EU rules and more oriented towards the American “privacy as a commodity” approach. This may in fact change the level of commercial attractiveness the UK will be able to offer to foreign capitals and multinationals from now on and help recovering from a period of possible economic stagnation in the field of digital economy.
However, if making the UK internationally appealing by softening regulatory data protection standards in the area of privacy compliance could become a competitive tool to enhance Britain’s legal and economic system from that of the rest of the EU, the lack of appropriate safeguards and common enforcement rules to counterbalance such possible data security de-regulation could, on the contrary, discourage the arrival of foreign capitals rather than encouraging it.
In particular, as for the implementation of the so-called One-Stop-Shop mechanism, it will probably be necessary that Article 29 Working Party and the Commission take a decision on the role of ICO in this transitional phase and in relation to the talks on its access to the consistency mechanism. On the contraty, any unilateral effort to extend GDPR’s scope also to those countries that are not formally part of the EU (e.g. EFTA members as well as Turkey, the Balkans, and most probably the United Kingdom) would be completely useless.
In this regard, for example, if Britain were not to obtain a status similar to that of Switzerland, which by implementing about 80% of EU legislation and is able to benefit of many of the full membership advantages reserved only to Member States, a feasible legal mechanism for allowing smooth data transfers from and towards the EU shall be re-designed from scratches to adapt to this new situation.
In addition to that, by finding itself on the same level of those “third countries” for which the European legislation always foresees specific authorizations for allowing the transfer of personal data, the UK might either hope for a specific adequacy decisions in its favour – something similar to a “UK Privacy Shield” – or push for a further nationwide adoption of tools such as Binding Corporate Rules and Standard Contractual Clauses.
In this context, the One-Stop-Shop could prove to be a double-edged weapon for UK legislator: on the one hand, Britaing would in fact enjoy greater freedom to regulate data protection and differentiate its national discipline from the narrow margin GDPR is leaving to EU Member States; on the other, however, the risk of increasing the competitive gap with the EU beacause of a different national discipline on data protection might cause deep suffering for thriving UK business sectors such as technology, banking and legal and financial services.
In conclusion, consent, information to data subjects, data breach notifications, privacy impact assessments and all the other major institutions of the current European data protection framework will very unlikely be subject to adjustments or radical changes leading them towards different legislative direction than of the EU at large.
However, while it is certain that the web will continue to speak English throughout the world aside of any post-Brexit scenario whatsoever, multinational companies will have to deeply rethink their role as key players within the future UK legal and economic system. Furthermore, most companies likely exclusion from the mechanisms of the future One-Stop-Shop will necessarily push UK top managers to reassess the convenience of keeping a London headquarter instead of moving to a European-based one for benefiting of a single set of rules for, at least, data protection.
Dublin, Paris, Frankfurt and Milan are among the main pretenders for becoming the new continental financial and legal hubs of the EU, already preparing for hosting former London headquarters of some of the main multinational companies of the world. This is not a possibility anymore but a fact of growing importance for the shift of the balance of economic power from the UK to the EU as well as for the applicability of the new GDPR, therefore it shall all be taken in very serious account as soon as possible.
- Towards a EU – UK “double standard” for data protection sanctions regime?
As mentioned above, the British role in the global debate on the future of data protection is quite likely to be weakened from the current post-Brexit scenario: in particular, UK legislators will probably have to rethink their internal regulatory framework on privacy and data protection according to their future position outside the EU but also, paradoxically, according to the GDPR as well as other Member States.
This, in order not to remain completely isolated from the most important regulatory trends of the continent and following the specific purpose of channeling all national reform efforts into the possibility of accessing the future Digital Single Market and the opportunities of growth and economic development its creation will contribute to spread throughout the EU.
Therefore, UK legislators might want to express a more favorable positions as to the extent of some of the main features of EU data protection rules. In fact, the ability to attract multinationals companies by softening sanctions – also through new and more advantageous corporate tax cuts – and reducing administrative burdens relevant to the One-Stop-Shop mechanism as well as limiting the extra-territorial scope of GDPR’s principle of “one continent, one law”.
The definition of “main establishment”, as elaborated also by the jurisprudence of the European Court of Jusitice, cornerstone of the scope and enforcement measures enshrined by the GDPR, could soon become the first subject of scrutiny in the UK process of re-writing the Data Protection Act according to EU rules but always in compliance to current continental data protection standards.
However, if on the hand it is clear that British will no longer sit at the table with EU decision-makers in Brussels, especially when discussing internet and e-commerce issues, on the other hand, general recognition for their help in building the mechanisms for regulating Europe’s digital economy will still grant them a privileged position in future political and business talks to come.
The economic fallout of Brexit is likely to be more traumatic in the long term: for example, the UK could no longer access neither to European cohesion funding nor to incentives for ultra broadband infrastructures or participating to Horizon 2020 research and development grants. Brexit is not likely to change the history of the Internet as we know it, however the development of the digital economy in the EU and in the rest of the world might be subject to radical changes from this step into the unknown.
In conclusion, the UK will surely try not to further aggravate its positions under the weight of a data protection regulation radically different from that Europe, but soon-to-come strategic decisions for the future of the country will impose a deeper reflection on urgent issues such as: a possible UK version of the Privacy Shield, negotiations for accessing the single market and the TTIP, the European Economic Area and the future the Digital Single Market, the jurisdiction of the European Court of Justice and a lot more coming up next in the field of data protection.
While waiting for further post-Brexit developments, it might be advisable for multinational companies and public administrations alike to keep focused on the real compliance challenges currently represented by the new and complex discipline of the EU General Data Protection Regulation.
- Corriere Comunicazioni, Brexit, Panetta: “Su online e dati UK vorrà rimanere agganciata alla UE”, June 24th, 2016 (link)
- The Privacy Advisor, For privacy pros, Brexit nothing to panic about, June 24th, 2016 (link)
* * * * *
For furher information, legal advice and other more detailed questions on the GDPR and/or relevant compliance issues, please do not hesitate to contact our Team at: email@example.com