The data protection legislation in the post-Brexit scenario
According to the UK Data Protection Authority, it is reasonable to believe that the national data protection laws will remain unchanged at least until exit negotiations will have outlined a new status of the UK outside the EU. In fact, as a preliminary note, it can be said that there is no evidence that current national legislation and case law on privacy and data protection, as drafted in accordance with EU founding treaties, shall in any case be lost or “blown away” just because of the fallout of a possible post-Brexit scenario.
Brexit is not likely to affect at all current British legislative standards on privacy and data protection, at least for two main reasons: firstly, there is the UK desire to have continued access to the European Economic Area and to the forthcoming Digital Single Market; the second issue concerns the likelihood that companies and multinational corporations based in London – in absence of the adequate legal safeguards able to protect the value of their data flows – could begin to seriously consider the advisability of moving its headquarters elsewhere.
In this context, the role of the UK Data Protection Authority could dramatically change: weakened and resized in a post-Brexit scenario, technically the ICO will no longer take part in crucial discussions on the modalities of implementation and fulfilment of the new GDPR, as well as on the definition of the mode of operation of the Digital Single Market.
Therefore, in a comparable position to the EFTA countries (European Free Trade Association, composed of Switzerland, Norway, Iceland and Liechtenstein), the UK may loose its member status in the Article 29 Working Party, as well as any influence within the forthcoming European Data Protection Board.
UK based law firms, in turn, will likely loose their prominent position in Europe as an international hub for all multinational corporations dealing with the EU legislations and different jurisdictions.
Realistically speaking there is enough and maybe too much to suggest that the UK will want to keep as much as possible the current regime on instead of a real Brexit in the digital market.
In this regard, if the UK did not achieve a status similar to Switzerland – which, by implementing about the 80% of Community legislation, accesses de facto to many benefits of the full membership of the Member States, even if the recent Swiss referendum on transborder workers it is seriously triggering and challenging Switzerland’s privileged status – then it should confront with a more complex data transfer mechanisms than those valid within the EU.
As a consequence, Britain would be considered as a third country and, accordingly, the data transfer could take place only where a European Commission adequacy decision has been adopted, or, at best, a sort of “UK Privacy Shield” has been negotiated. Otherwise, the UK could only ensure compliance only by encouraging the adoption of legal tools such as Binding Corporate Rules and Standard Contractual Clauses.
Furthermore, among some of the major concerns of the post-Brexit data protection scenario, the functioning of the so-called One-Stop-Shop seems likely to be a top one, especially when considering the absence of any formal recognition to ICO as part of the mechanism as such.
In this context, the One-Stop-Shop could prove to be a double-edged weapon for UK legislators: on the one hand, Britain would in fact enjoy greater freedom to regulate data protection and differentiate UK disciplines from the limited scope that the GDPR is leaving to EU Member States; on the other, however, the risk of increasing the competitive gap with the EU because of a different national discipline on data protection might cause difficulties for the most important UK business sectors such as technology, banking and legal and financial services.
Moreover, UK legislators might want to express a more favourable position as to the extent of some of the main features of EU data protection rules. In fact, the UK has now the ability to attract multinationals companies by softening penalties – also through new and more advantageous corporate tax cuts – and reducing administrative burdens relevant to the One-Stop-Shop mechanism as well as limiting the extra-territorial scope of GDPR’s principle of “one continent, one law”.
If, on one hand, the goal of becoming more appealing internationally – by softening the legislative framework with regard to privacy compliance – may constitute a strong competitive tool on the other hand, the lack of safeguards and enforcement mechanisms could, in fact, discourage foreign investment.
Companies that had sought to manage all the regulatory relationships with the European Authorities thanks to their London hub – often coinciding with the main headquarter of the most important multinationals – also by benefiting from the upcoming One-Stop-Shop mechanism, henceforth, will have to revise their plans in this respect.
Dublin, Paris, Frankfurt and Milan are already prepared to welcome the new head offices of “deserting” multinationals, by applying to become the new European capitals for legal and financial services. Hence, the post-Brexit era must be closely monitored by taking into account the possibility that may occur significant changes in the economic and legal European scenario.