Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Oct. 20 — Brexit may cause U.K. companies to limit compliance investment for the new European Union privacy regime, U.K. Deputy Information Commissioner Steve Wood told Bloomberg BNA.
Wood told Bloomberg BNA Oct. 20 that uncertainty isn't “good because it can delay investment in compliance systems.” The U.K. data protection agency, the Information Commissioner's Office (ICO), had been “relaying to government” that companies “want certainty and clarity” over data protection in the context of the U.K.’s exit from the EU, Wood said.
The U.K. voted to leave the EU in June. The U.K. government has said it will trigger in early 2017 a two-year negotiation with the remaining 27 EU countries on the terms of the U.K.’s departure.
Consequently, the U.K. is likely to leave the EU in 2019, after the EU General Data Protection Regulation (GDPR) comes into effect in May 2018. The U.K. must implement the GDPR while it remains an EU country.
The ICO was working “steadily towards” GDPR implementation ahead of the May 2018 deadline and is “working with European colleagues in the Article 29 Working Party” on GDPR guidance, Woods said.
After the U.K. leaves officially the EU, its data protection regime might start to diverge from the GDPR.
The U.K. government has previously said that it will attempt to harmonize it's data protection laws with EU laws before the nation leaves the bloc.
Wood said that post-Brexit “obviously it's a decision for the government to make, and parliament as well, in terms of what legislation we should have in the U.K. for data protection.”
However, “the challenges which were there before the referendum are still there now: the challenges of the digital economy, digital public services, challenges of better transparency online so citizens have more control, challenges of children's personal data online,” Wood said.
“Those difficult issues won't go away so we still need a strong, progressive data protection law. We'll always make the case for strong enforcement powers and an independent agency enforcing the data protection laws in the U.K,” he said.
The ICO would continue to stress that strong data protection is needed because it's a fundamental right and “good for the digital economy because the more trust you have in a digital economy, the more it is likely people will be able to share high quality personal data that can drive new businesses,” Wood said.
After the U.K. formally leaves the EU, it will no longer be able to rely on the European Court of Justice (ECJ) for data privacy case law.
is unclear if binding decisions, such as decisions of the European Data Protection Board (EDPB) that will be set up under the GDPR, will apply in the U.K. post-Brexit.
However, even if post-Brexit EU rulings and decisions don't apply in the U.K., the nation and the EU may remain close in terms of privacy regimes, Wood said.
“If the position is we're outside the EU and we become a third country in the concept of European law, then we wouldn't be subject to binding decisions,” he said. But, “U.K. companies selling into the EU, or with other establishments in the EU, would still be affected by the case law” from the ECJ, he said.
He added that “it's possible that the case law will still be influential at a slightly removed point.” The EU Court of Justice's Google Spain judgment about the right to be forgotten “had an effect outside the EU anyway, with other jurisdictions looking and thinking about the direction of case law, so data protection case law and developments in the EU will still be important in the UK, but there will be a redefined relationship.”
“The future strategy for the ICO will be how we have to interact with that,” Wood said. The U.K. Information Commissioner, Elizabeth Denham, “will start to develop over time what the ICO's relationship with the EDPB might need to be after we leave,” but “we can't really say at this stage how that will work.”
As part of the post-Brexit fallout, the U.K. may have to apply for its data protection regime to be found adequate by the European Commission, the EU's executive arm.
A decision to apply for adequacy “is ultimately a political one for the government to make,” Woods said.
To trade with the EU “adequacy is normally seen as a key component, as evidenced by the work done by the U.S. to get the Privacy Shield in place,” Wood said. The EU-U.S. Privacy Shield is the data transfer framework that replaced the canceled U.S.-EU Safe Harbor arrangement.
For the ICO, “the heart of our considerations are not the trade issues, which are connected with adequacy, but the protection of personal data of U.K. citizens that is transferred out to different countries under any new law we have in place after we exit,” Wood said.
This would likely necessitate a U.K.-U.S. deal on data transfers. For this, the “Privacy Shield is one model that could still be considered, given the effort and time that has gone into making it work and the input we gave as the ICO,” Wood said.
“I suspect companies will want regulatory certainty and to be able to continue to use a model like that,” Wood said.
To contact the reporter on this story: Stephen Gardner in Marrakesh, Morocco at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)