Brexit: Don’t Leave Your Data Security Behind

By Gary Gonzalez

The United Kingdom, by a narrow margin of 52% to 48%, voted to leave the European Union.[1] Various reasons have been offered for the withdrawal, most notably immigration and its impact on the local economy.[2] As part of the withdrawal process, the United Kingdom must evaluate many of its policies and determine how best to rule in the future. Despite the intent to leave the European Union, the United Kingdom should still follow the pending European Union regulations regarding data security and privacy.

To begin the withdrawal process, the United Kingdom (“UK”) must invoke Article 50 of the Lisbon Treaty.[3] The UK’s new Prime Minister, Theresa May, stated this won’t occur before the end of 2016; however, once invoked, the UK and the European Union (“EU”) will have two years to negotiate their separation.[4] Until the withdrawal has been completed, EU regulations will still apply to the UK but the UK will not participate in new EU decisions.[5]

Currently, the UK operates under near-obsolete data privacy laws, chiefly the Data Protection Act.[6] A prestigious UK law firm, Bird & Bird, states the Data Protection Act has been around since 1995 “when Google was 3 years from incorporation, Mark Zuckerberg was 11 and cloud computing was in its infancy. . . [The current law] is long overdue [for] a significant refresh.”[7] As long as the UK is part of the EU, or under its regulations, that “refresh” date is less than two years away.[8]

The EU has selected May 25th, 2018 as the enactment date for the General Data Protection Regulation (“GDPR”). Putting the Brexit vote aside, the GDPR will replace the existing data privacy laws in the UK,[9] as well as the current EU Data Protective Directive 95/46/EC.[10] The GDPR places multiple accountability obligations “on data controllers to demonstrate compliance.”[11] Furthermore, additional changes will apply to data processors, which did not exist before.[12]

Under the GDPR, data processors will now have, inter alia, an obligation to: (1) keep written records regarding their processing activities, (2) elect a data protection officer, or appoint a representative if outside the EU, and (3) use new notification procedures when a data breach occurs.[13] These changes are likely opposed by UK businesses because it will require them to invest in new technology, additional staff training, and 40% of UK businesses have not made any provisions as of September 2015.[14]

Despite the added costs to business, the UK should seek to establish data security measures equivalent to the GDPR. Businesses are likely to object to meeting the exact standards of the GDPR because a security breach in the business would allow European Regulators to fine up to four percent global turnover,[15] or total revenue.[16] However, if the UK attempts to negotiate its own data privacy regulations, it may isolate  UK-based businesses.[17]

The isolation of UK businesses can occur if the EU determines the UK’s data security laws are insufficient.[18] This isolation can lead to inconvenience and increased costs to UK businesses.[19] This isolation, inconvenience, and increased costs would be similar to the problems the United States recently faced regarding the Safe Harbor Act invalidation.[20] Even if the UK established a similar framework to the Safe Harbor, or the more recent Privacy Shield,[21] the framework is still vulnerable to legal challenges.[22]

If the UK is unsure about the adequacy of its potential privacy laws, it may attempt to the follow the Swiss Model or the European Free Trade Association Model.[23] It is important to note, however, both models require protections similar to the GDPR.[24] If the UK followed the Swiss Model, it would require a bilateral agreement, updated regularly, to gain access to the EU single market.[25] Notably, though, the Swiss data privacy laws have been deemed adequate by the EU, whereas any new laws in the UK may not meet the adequacy standards.[26] Therefore, the UK would likely need to create laws that meet the standards of the GPDR, so it is arguably more efficient to follow the mandates of the GDPR without needing additional negotiations and bilateral agreements.

If the UK sought to follow the European Free Trade Association (“EFTA”), or Norwegian Model, the UK would continue as a member of the European Economic Area, thereby benefiting from existing trade agreements and allowed access to the single market.[27] But, the UK would have an obligation to comply with select EU rules and restrictions.[28] Norway, Iceland, and Lichtenstein, all non-EU members, follow this method.[29] Each of these countries, nevertheless, have followed EU guidelines for the Data Protection and e-Privacy Directives in their local data laws.[30] This method, therefore, also requires the UK to enact local laws that meet the mandates of the GDPR. Once again, it is likely easier and more efficient to adopt the GDPR requirements to avoid future legal challenges.

Conclusion

In brief, the UK, despite any objections by local businesses, should comply with the GDPR regulations. The UK participated in the decision-making process regarding the GDPR and its ratification. The GDPR provides the requirements for businesses and, so long as the requirements are met, will not subject the UK to adequacy-of-law challenges in the future. If the UK seeks to negotiate its own data privacy laws, local businesses will face an uncertain future. The laws may be found inadequate in the future and place businesses in a precarious position. Even if the UK sought to follow the Swiss Model of the EFTA, its laws must still comply with certain EU rules and regulations. For efficiency and certainty, the UK should follow the mandates it approved by participating in, and ratifying, the GDPR.

* * * * * 

[1] Brian Wheeler & Alex Hunt, Brexit: All you need to know about the UK leaving the EU, BBC News (Aug. 10, 2016), http://www.bbc.com/news/uk-politics-32810887.

[2] David Frum, Why Britain Left, The Atlantic (June 24, 2016), http://www.theatlantic.com/international/archive/2016/06/brexit-eu/488597/.

[3] Wheeler & Hunt, supra note 1.

[4] Id.

[5] Id.

[6] James Mullock & Simon Shooter, Brexit: Data protection and cyber security law implications, Bird & Bird (June 24, 2016), http://www.twobirds.com/en/news/articles/2016/uk/brexit-data-protection-and-cyber-security-law-implications.

[7] Id.

[8] Id.

[9] Gail Crawford & Ulrich Wuereling, What Does Brexit Mean for UK Data Protection Law?, Latham & Watkins (June 28, 2016), http://www.latham.london/2016/06/what-does-brexit-mean-for-uk-data-protection-law/.

[10] Allen & Overy, The EU General Data Protection Regulation, 9, http://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf (last visited Aug. 20, 2016).

[11] Id. at 3.

[12] Id.

[13] Id.

[14] Ben Rossi, 77% of UK businesses say EU’s new data law is a financial burden, InformationAge (Sept. 29, 2015), http://www.information-age.com/it-management/risk-and-compliance/123460254/77-uk-businesses-say-eus-new-data-law-financial-burden.

[15] Duncan Robinson, Data regulation: Britain faces data privacy confusion after Brexit, The Financial Times (July 6, 2016, 5:54 AM), http://www.ft.com/cms/s/2/d352557e-3e94-11e6-9f2c-36b487ebd80a.html#axzz4HLmzUWwI.

[16] Overall Turnover, Investopedia, http://www.investopedia.com/terms/o/overall-turnover.asp (last visited Aug. 21, 2016).

[17] Robinson, supra note 15.

[18] Id.

[19] Id.

[20] Id.

[21] See International Trade Administration, Privacy Shield Framework, Dep’t of Com., https://www.privacyshield.gov/welcome (last visited Aug. 21, 2016).

[22] Robinson, supra note 15.

[23] Mullock & Shooter, supra note 6.

[24] Id.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] Id.