Companies Should Focus on EU Privacy Regime Post-Brexit

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

June 24 — Companies that process or send data to European Union nations and the U.K. need to remain focused on upcoming changes to EU data protection laws despite Brexit, privacy attorneys told Bloomberg BNA June 24.

“The initial advice is for businesses to continue to focus on the internal changes they need to be making to get ready for the new EU General Data Protection Regulation (GDPR),” Rafi Azim-Khan, partner and head of data privacy in Europe at Pillsbury Winthrop Shaw Pittman LLP in London said June 24. “There should be no distraction from that given the major new fines will still be a real business risk.”

Despite the U.K.’s decision to quit the EU, U.K.-based multinational and local businesses that process or send data to any of the other 27 nations in the EU will be required to follow the GDPR.

“The situation will remain unchanged at least until there's a formal Brexit. There's no short-term concern” for companies operating in the U.K. and EU, Mark Prinsley of Mayer Brown LLP in London said June 24.


In the long-term, however, U.S. businesses will face a more complicated enforcement regime across the Atlantic. Instead of taking advantage of the one-stop-shop that the GDPR will establish, “U.S. companies with establishments or activities in both the U.K. and EU would—similar to the position now—face enforcement from more than one regulator,” Jonathan Kirsop, partner at Stephenson Harwood in London said.

Negotiating the U.K.’s departure from the EU is also very likely to take place after the May 25, 2018, deadline for the GDPR to come into force, James Mullock,, a privacy and data protection partner at London-based Bird & Bird, said June 24.

“That's significant because it means that the U.K. will almost certainly experience life under the GDPR” despite its exit from the EU, he said.

British citizens voted to leave the EU in a June 23 referendum. The U.K. joined the then-European Economic Community in 1973.

Withdrawal Likely Two Years Away

Under Article 50 of the Lisbon Treaty, the U.K. will have to serve notice of its intention to exit the EU and negotiate a withdrawal agreement, Mullock said.

“Unless there is unanimous agreement to the contrary, the earliest that any withdrawal agreement will take effect under Article 50 seems likely to be two years from service of notice of the U.K.'s desire to Brexit. In reality it may take considerably longer,” he said.

Prime Minister David Cameron, in his June 24 resignation speech following the Brexit vote, said he would not trigger Article 50 until the next prime minister is chosen by October 2016.

Two potential successors—Conservative members of Parliament Boris Johnson and Michael Gove—also said June 24 that a new government shouldn't be rushed into implementing Article 50.

Trading With EU Requires GDPR

Mullock said any U.K. business that trades in the EU “will have to comply with the GDPR despite Brexit taking effect.”

“That's because the GDPR's many obligations will apply to organizations located anywhere in the world which process EU citizens' personal data in connection with their offer of goods or services, or their ‘monitoring' activities—defined to pick up many online behavioral marketing activities,” he said.

A spokesman for the U.K.’s data protection authority—the Information Commissioner's Office—agreed that if any business based in the U.K. “wants to trade” with EU member states “on equal terms,” it would have to prove that it ensures an adequate level of protection for the data.

“In other words U.K. data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018,” an ICO spokesman said June 24.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the U.K. law remains necessary,” the ICO spokesman said.

U.S. Business Impact

U.S. companies will be regulated by separate data protection enforcement authorities in the U.K. and EU, but the U.K.'s desire to trade with EU member states and demonstrate adequacy will likely mean that the systems will be very similar or identical, Kirsop said.

“From recent discussions with privacy commissioners, it's highly likely that any updated U.K.-specific legislation will closely mirror EU data laws,” Azim-Khan said.

Moreover, U.K. and EU privacy laws are both rooted in the same traditions as the European Convention on Human Rights, Prinsley said.

It's unclear whether mechanisms for personal data transfers to the U.S. will diverge between the U.K. and EU as the EU-U.S. Privacy Shield continues to be debated.

“I don't expect the nuts and bolts of the transfer mechanisms, such as model contracts and binding corporate rules, to change much, if at all,” John Drennan counsel at King & Spalding LLP's data, privacy and security group said.

Despite the similarity of any regime that emerges in the U.K., “businesses will need to closely keep an eye on not just the changes needed to deal with the GDPR, but also any exception or variation that may be introduced specifically for the U.K.,” Azim-Khan said.

EU: ‘Dim View’ of Weak Privacy Laws

Even if a future U.K. government decides to strike a trade deal with the EU that covers data protection, it would in theory “have free rein to choose the form of data protection laws which it introduces to update” the U.K.’s Data Protection Acts 1998 and 2003, Mullock said.

“However, recent history tells us that, when it comes to the question of data transfers, EU regulators and courts take an extremely dim view of countries which do not adopt EU-strength data protection laws, ” he said.

“Without the U.K. as an EU member state, it's possible that the EU's stance on data transfers will harden,” Drennan said, because a higher percentage of EU member states will be more skeptical about national security surveillance.

The current stand-off with the U.S. with respect to the now-invalid Safe Harbor data sharing arrangement is a case in point, Mullock said, referring to the program that was invalidated last year (194 PRA 194, 10/7/15).

“A higher percentage of voices in the EU will now understand certain national security-related intrusions into personal data as human rights violations,” Drennan added.

“Brexit could result in a ‘push and a pull' situation that affects cross-border data transfers depending on where one stand on the globe; in Britain or in the EU,” he said.

By Ali Qassim

With assistance from George R. Lynch in Washington

To contact the reporter on this story: Ali Qassim in London at

To contact the editors responsible for this story: Donald G. Aplin at ; Daniel R. Stoller at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.