Brexit from EU Wouldn't Obviate Privacy Reg Mandates

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

April 14 — A looming decision on whether the U.K. should quit the European Union—or Brexit—may not have much practical affect on how U.K. businesses deal with the requirements of the upcoming EU General Data Protection Regulation (GDPR).

Regardless of how U.K. citizens vote June 23, U.K.–based multinationals and local businesses that process or send data to any of the other 27 EU member states will need to abide by the GDPR when it is finalized and takes effect, privacy attorneys and industry professionals told Bloomberg BNA.

It is less certain what data transfer arrangements U.K.-based data controllers would use in renewed trade agreements with both former EU partners and non-EU partners, they said.

Leaving the EU—which the U.K. joined in 1973 when the bloc was known as the European Community—also raises questions as to how the U.K. would cooperate with the U.S. and its other allies in combating terrorism and cybercrime. The sequence of the finalization of the GDPR and the outcome of the Brexit vote may also result in considerable procedural problems.

The outcome of the referendum is too close to call. The support to “remain” is at 39 percent, barely ahead of the 38 percent backing to “leave,” according to recent poll results from research company YouGov.

Could Brexit Exempt U.K. from GDPR?

The Vote Leave campaign, made up of a cross-party group of parliamentary members including several high profile government ministers, argues that “instead of uniform harmonization,” such as GDPR, “that is hard to fix,” the U.K. would work better in Europe by cooperating “on the basis of mutual recognition of national regulatory standards.”

Separately, a business-led grassroots movement called Leave.EU is highlighting that the EU is responsible for more than half of the U.K.'s legislation and that the top EU regulations cost the U.K. 33.3 billion pounds ($46.8 billion) a year.

“A number of organizations are clinging onto the possibility of a Brexit as a reason to hold off implementing GDPR,” Mark Thompson, privacy practice leader at KPMG U.K., said. Negotiators Dec. 15, 2015 concluded nearly four years of talks on final text of a new data protection framework to replace the now over 20-year-old EU Data Protection Directive (95/46/EC) (14 PVLR 2289, 12/21/15).

Some companies are hoping that “the heavy fines and onerous new requirements introduced by the GDPR won't be applicable to them if Britain leaves the EU,” Thompson said.

Under the GDPR, penalties could reach as high as 10 million euros (slightly more than $11.3 million), or 2 percent of their annual worldwide revenues.

“Some might argue that not being liable for GDPR would be an additional benefit for businesses in the event of Brexit,” Thompson said, referring to some of the provisions businesses perceive as costly, such as appointing data protection officers or conducting privacy impact assessments.

Brexit

“In reality, this is a false hope,” Thompson said. “Should Brexit happen, the GDPR, or something very close to it is likely to be passed in the U.K. The reality is that Britain needs to trade with the EU and trade these days is becoming increasingly reliant on personal information,” he said.

Chris Combemale, the chief executive officer of the U.K. Direct Marketing Association, concurred. “If the U.K. opted to leave it would enter into some form of trading relationship with the EU” and “data protection would form part of any such trading agreement” he said.

“The U.K. would need to implement data protection legislation that was broadly equivalent with the GDPR,” he said.

GDPR Will Apply

KPMG Executive Advisor Ewan Donald said that “under the GDPR companies in the EU can only send personal information to countries outside the EU where appropriate mechanisms are in place to ensure European citizens' personal information is treated ‘adequately’ in line with the GDPR.”

“As such, even if the U.K. votes to leave the EU, U.K. companies would still need to embed processes and controls similar to what is required by the GDPR in order to process EU citizens' data,” he said.

Ruth Boardman, co-head of the International Data Protection team at Bird & Bird's London office, said “anyone who sells or offers goods or services to EU residents or who profiles EU residents will have to comply with EU data protection law, even if the U.K. leaves the EU.”

The “new EU General Data Protection Regulation will always apply in this situation—regardless of where the actual data processing takes place, or where the organization is based,” she said.

Boardman added that the “core principles” of the U.K.’s data protection legislation “are based on international conventions—leaving the EU would not affect this.”

In a Brexit scenario, the U.K. could retain its adequacy recognition by the European Commission, the EU's executive arm, Mark Webber, a partner in the Technology Group at Fieldfisher LLP, London said.

Boardman added that the “controversy over the invalidated U.S.-EU Safe Harbor Program (14 PVLR 1825, 10/12/15) shows the challenges in this area: the arguments that have been made as to whether the U.S. offers ‘adequate’ protection for personal data would likely be replayed in a U.K. context.”

With its strong financial services sector, tech community and inward investing enterprise community, Webber said that “the U.K. will be very keen to remain recognized as offering adequate protection to EU-originated data.” Otherwise, “the U.K. could find itself in a similar place to the U.S.—dependent on EU data transfer but with more hurdles to cross in respect of each and every data transfer,” which might mean “we may no longer be the attractive headquarters location for the scaling U.S. business that we've traditionally been,” he said. This alone is likely to force the U.K. to adopt GDPR-like rules or maintain the GDPR rules if they are implemented prior to a Brexit,” Webber said.

European Economic Area

Regarding options available for a post-Brexit-U.K. to maintain its adequacy’ status, European Commission spokesman Christian Wigand told Bloomberg BNA that “although the Commission wants the U.K. to remain in the EU, it is not taking part in the referendum campaign” and “therefore, we do not speculate on hypothetical situations and there is no ‘plan B.'”

However, he pointed out that non-EU members of the European Economic Area (EEA), like Norway, are “covered by the data protection directive and the coming regulation,” allowing personal data flow with the EU without the need for any further safeguards. Two other EEA members—Iceland and Liechtenstein—also have similar benefits.

Uncertainty over the timing and sequence of post-Brexit changes “would have significant implications for business between the EU and the U.K.,” Fabian Niemann, technology, copyright and data protection partner at Bird & Bird's Frankfurt office, said.

Any scenario “would impact U.K. companies with customers in the EU, at least for a couple of years,” he said, referring to the minimum notice period the U.K. would have to give the EU to exit the bloc.

“There's no precedent for such a process and a lot of issues to sort out,” Webber said.

“If the U.K. hasn't formally left the EU when the GDPR comes into force it will automatically become law in the U.K.,” he said. “Yet, if we've voted for Brexit and left the EU before the GDPR became law there is no mechanism to implement the GDPR (or rules like it) unless the Government took specific additional steps.”

Impact on Combating Terrorism, Cybercrime

Brexit would also raise questions about “the approach of the U.K. secret service towards data protection,” Niemann said. “EU data protection laws would also lead to more restrictions in cooperation between EU and U.K. authorities if the U.K. leaves the EU,” he said.

Webber said that the U.K. government's plans to pass legislation to require communications companies to retain customer connection records for up to a year for law enforcement and national security purposes (15 PVLR 510, 3/7/16)“may also come to haunt the U.K.” after Brexit.

The EU might “take a dim view of such mass-surveillance and potential government access to data which is otherwise contrary to EU fundamental rights,” he said.

ICO Presses GDPR guidance

In the run up to the referendum, the focus of the Information Commissioner's Office—the U.K.’s data protection authority—“remains on core data protection functions and preparing for the EU data protection reform: the GDPR and Directive affecting law enforcement activities,” the ICO's Lead Communications Officer Anya Burgess, said.

The Law Enforcement Directive is a companion to the GDPR. It covers government collection and use of personal data (15 PVLR 747, 4/11/16).

As “an independent regulator the ICO doesn't have a view on the merits of the arguments” for leaving or remaining in the EU and “on the subject of guidance for a potential Brexit scenario, this is primarily a question for the government,” she said.

However, Burgess pointed out that the ICO's recent advice to businesses seeking to comply with the GDPR, mentions that “if you are complying properly with the current” U.K. laws, “then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.”

James Leaton Gray, associate director at Ctrl-Shift, a consulting company offering services for organization seeking to prosper in the digital economy, said Brexit is “not something I'm finding I'm being pressed on by clients yet” given they “are only slowly trying to get heads around the GDPR.”

Any company that may be “slowing down its timetable” to comply with GDPR as a result of the Brexit uncertainty “would be foolish,” he said. “In the current climate of an expanding digital economy” any outward-looking service provider “is going to have high levels of protection for personal data,” Gray said.

Regarding the impact of Brexit on U.S.-based multinationals, Gray said that a lot of U.S. companies “are not suddenly going to stop trading in Britain or Europe.” The U.K. would simply become part of a multinational company's “fuller complex patchwork of data protection considerations across the world.”

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com