Brexit Makes EU Data Transfer Adequacy Analysis Vital

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Sept. 30 — U.K. businesses concerned about post-Brexit cross-border data transfers should be flexible in providing adequate privacy protection for individuals in the European Union, the U.K. privacy office's policy chief said Sept. 30.

It is unclear how negotiations to leave the EU are going to play out, so regardless of the outcome, companies need to “look at the suite of options available to ensure adequacy and chose the one that's easier to do,” Iain Bourne, group manager at the at the U.K. Information Commissioner's Office, said at a U.K. Direct Marketing Association conference.

The outcome of the U.K.'s negotiations with the EU shouldn't affect how companies prepare for the upcoming EU General Data Protection Regulation (GDPR), Bourne said. U.K. companies that do business in the EU will need to comply with the GDPR, which takes effect May 18, 2018.

Bourne's comments echoed those of U.K. Information Commissioner Elizabeth Denham made a day earlier.

In her first speech as the U.K.'s chief privacy regulator, Denham—who was formerly the head of British Columbia's privacy office—said Sept. 29 that businesses should to work towards complying with the requirements of the GDPR. The “GDPR is an incentive to improve your practices, to sharpen things up, and encourage organizations to look at things afresh,” she said.

Bourne said that the privacy office plans to be more lenient with companies that try “to comply with the GDPR but get it wrong” than it will with companies that “shrug their shoulders” and take little action towards compliance.

Alternative Data Transfer Mechanisms

Under existing U.K. privacy rules, personal data may be transferred outside the European Economic Area (EEA)—which includes Norway, Iceland and Lichtenstein—if that country ensures an adequate level of privacy protections for cross border transfer.

If the U.K. chooses to leave the EEA on top of leaving the EU, U.K. companies may have a harder time ensuring an adequate level of protection or data transfers between the U.K. and EU, Bourne said.

The decision to on whether to use standard contractual clauses or binding corporate rules once the U.K. officially leaves the EU will be a “policy call” for companies, Bourne said. U.K. companies should be open minded to all alternatives because its unclear “how adequacy will be assessed,” he said.

Brexit Implications for U.K. Law?

The privacy office plans to discuss with the U.K. government the implications that Brexit will have on “data protection reform in the U.K.,” Bourne said. The ICO will hold the position that the “GDPR ups the ante in terms of governance” and promotes transparency and accountability about the way companies use and retain data, he said.

Gilbert Hill, managing director of Governor Technology, said at the conference that instead of trying to avoid all EU data privacy regulations the U.K. should try to be a “beacon of data privacy.” The U.K. shouldn't aim to become a “light touch Las Vegas-style free data hub,” Hill said. U.K. data privacy rules should far exceed those of the GDPR, he said.

Amanda Arthur, head of data and analytics at Proximity London, agreed that the U.K. should be “standard bearers” for strong privacy protections. The U.K. should embrace the “GDPR and lead by virtue of our own example,” she said.

To contact the reporter on this story: Ali Qassim in London at

To contact the editors responsible for this story: Donald G. Aplin at ; Daniel R. Stoller at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.