Brexit is likely to cause years of future uncertainty around data protection, including the legal mechanisms for data transfer to countries outside of the United Kingdom ("U.K."). In the short term, there will be little to no impact on existing data transfer solutions implemented by companies that rely on the U.K. as an entry point into the European Union ("EU"). In the mid-term, with the scheduled implementation of the EU-U.S. Privacy Shield ("Privacy Shield") in 2016 and the EU's General Data Protection Regulation ("GDPR") in 2018, the U.K. will either continue to be subject to EU laws by extending its membership in the European Economic Area ("EEA") or it will create its own national data protection legislation. Although companies may have to rethink data transfer agreements, this will be part of a long term process as the future of U.K. data protection continues to unfold.
Short Term—What to Expect in the Next 12 Months
In the wake of Brexit, the greatest amount of certainty will exist in the short term. It will be at least two years before any significant changes occur that would impact data flows to and from the U.K. From a procedural standpoint, the U.K. cannot formally exit the EU until the U.K. gives formal notice of its intention to depart. Once the U.K. provides formal notice, Article 50 of the Treaty of Lisbon establishes a two-year period for negotiating exit terms. The U.K. will not provide formal notice, thus tolling the two-year period, until a new British prime minister is appointed in October of this year. In the meantime, companies can continue to rely on existing data transfer mechanisms between the U.S. and the EU, the U.S. and the U.K., and the EU and the U.K. They should also continue preparations for the GDPR, as the U.K. will be subject to the law, at the very least, during the several months "gap" between GDPR implementation and the U.K.’s formal exit from the EU.
Mid-Term—GDPR Implementation, Privacy Shield, and the EEA
The GDPR is currently scheduled to take effect in May 2018. Because of the timing of the appointment of a new British Prime Minister, the U.K. will have to comply with the GDPR at least for a short interval before the U.K.'s departure. U.S. and EU officials have finalized Privacy Shield negotiations, which is also tentatively scheduled to become effective sometime this year. The applicability of the Privacy Shield or a similar mechanism to carry out data transfers from the U.K. to the U.S. has not yet been determined.
After departure, it is unclear which path the U.K. will choose for data protection. The U.K. can remain part of the European Economic Area agreement, which would allow it to remain part of the EU single market and comply with specific EU rules and restrictions. The U.K. would be among other non-EU members of the EEA such as Norway, Iceland, and Lichtenstein. EEA compliance would require the U.K. to accept the GDPR. The U.K. may also consider adopting Switzerland's approach. Switzerland is not a member of the EEA, but is a member of the European Free Trade Association ("EFTA"). Membership in the EFTA permits access to the EU single market. Switzerland maintains its own data protection laws, which have been recognized by the European Commission as adequate. Finally, the U.K. may opt for the approach taken by the World Trade Organization, which would enable the U.K. to create its own data protection laws subject to EU regulator approval. The approval process would be similar to that of the EU-U.S. Privacy Shield.
Long Term—How Will Brexit Impact Your Business?
The EU diplomats stated that they would like the U.K. to be out of the EU before the European Parliament elections are held in May 2019. If your company anticipates that Brexit will impact current data protection compliance or data transfer solutions based on existing U.K. law, your company may need to reexamine or reconfigure these solutions.
In the interim, there are some items that your business should consider—
- Implications for companies that have U.K.-based subsidiaries: Companies with U.K.-based subsidiaries should continue to monitor developments with U.K. data protection laws. The U.K. may continue down the path to implementation of the GDPR or evolve its laws in a different direction. Regardless of where the U.K. ends up, companies established in the U.K. likely will not fully escape the GDPR, which is expressly extraterritorial in its scope and would likely reach U.K.-based companies operating in the broader EU market.
- U.K.-based subsidiaries that serve as an entry point to the EU: In the wake of the demise of the U.S.-EU Safe Harbor program last fall, many U.S.-based companies have implemented solutions such as model contractual clauses for the transfer of personal data of EU data subjects to the U.S. These companies should keep abreast of the effectiveness of their chosen mechanism(s) in light of the changes that are coming in U.K. data protection law. It could be that U.K. data flows become subject to different mechanism(s) than the broader EU, or that two sets of data transfer agreements (for U.K.-U.S. transfers and EU-U.S. transfers) are required.
- Compliance with GDPR: As more companies begin to evaluate their potential liability under the GDPR, the first step is often to assess their international data flows, a process that many companies are just beginning now. Companies should pay special attention to data flows to and from the U.K., as it may be useful to understand these data flows if they become subject to U.K.-specific obligations that are distinct from those under the GDPR contract.