Brexit Sparks EU Single Market Privacy Conundrum

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

June 30 — The post-Brexit U.K. faces a tough decision with privacy implications on whether it should continue to participate in the unified European economy despite voting to leave the European Union.

Within the single European market, the EU would require the U.K. to follow the new EU General Data Protection Regulation ((EU) 2016/679) (GDPR), outside the market the U.K. would have to demonstrate the adequacy of its independent privacy regime in order to lawfully accept personal data from the remaining 27 EU countries.

The departure from the common market might also put the U.K. at risk for participation in trans-Atlantic data transfer deals, including the nascent EU-U.S. Privacy Shield program. It might also diminish the U.K. privacy office's ability to influence European privacy and data security developments.

Companies that handle personal data likely hope the U.K. will stay in the single market. This would allow more-or-less business as usual. But it would require the U.K.’s political leaders to make some compromises, privacy attorneys working in the EU told Bloomberg BNA.

General Data Protection Regulation

The U.K.’s continued participation in the single market would allow the GDPR to take full effect in the U.K. Negotiators Dec. 15, 2015 concluded nearly four years of talks on final text of the GDPR to replace the EU's now over 20-year-old Data Protection Directive (95/46/EC) (14 PVLR 2289, 12/21/15). It will apply for all EU countries as of May 25, 2018 (15 PVLR 963, 5/9/16).

Jan Philipp Albrecht, the German Green lawmaker who was the European Parliament's lead negotiator on the GDPR, told Bloomberg BNA June 29 that he “very much” hopes the U.K. stays in the single market.

The U.K. had been “from the beginning very supportive of a new data protection framework that creates more legal certainty. All in all, it would be a real pity if the U.K. does not benefit from that,” Albrecht said.

Privacy Shield at Risk?

Companies would likely prefer the U.K. to stay in the single market because the alternative would be fraught with difficulty and uncertainty.

Ann LaFrance, partner co-leader of Data Privacy & Cybersecurity practice at Squire Patton Boggs in London, told Bloomberg BNA June 29 that “under an independent model where the U.K. renegotiates its trade relationships, the U.K. would have to negotiate their own Privacy Shield-type arrangements with the EU, or obtain third-country status from the European Commission.”

The EU-U.S. Privacy Shield is a proposed framework for trans-Atlantic transfers of personal data to replace the invalidated U.S.-EU Safe Harbor framework (15 PVLR 269, 2/8/16). The European Court of Justice—the EU's top court—Oct. 6, 2015 invalidated the Safe Harbor on the basis that it failed to sufficiently protect to the privacy of EU data subjects (14 PVLR 1825, 10/12/15)

But in putting in place such an arrangement, the U.K. could face similar problems to those experienced by the U.S. over Safe Harbor.

Jorg Hladjk, of counsel with Jones Day in Brussels, told Bloomberg BNA that there would have to be “a discussion of whether there is really equivalent protection” in the U.K. to that offered in the EU under the GDPR.

For the U.K. this would mean that “if the GDPR no longer applies, they will have to come up with something that's very close,” Hladjk said.

Proving Adequacy

Albrecht said that proving the adequacy of the privacy protections offered by the U.K. in the event the U.K. opts out of the single market might be a “hard task.”

The European Commission, the EU's executive arm, makes decisions on the adequacy of third country data protection regimes. The decisions, which must be approved by the European Parliament and EU countries represented in the Council of the EU, allow personal data to be transferred freely to countries judged to have privacy protections in place to adequately protect the privacy of data transferred there.

Even if the U.K. went the adequacy determination route, it would likely need to amend its Data Protection Act 1998 to largely incorporate the main privacy points of the GDPR. If it didn't do so, the U.K. law might be “seen as rather weak” and therefore potentially inadequate, Albrecht said.

“There are several points of criticism” of the U.K. Data Protection Act, including its provisions on consent, the right of erasure of personal data and enforcement, Albrecht said.

LaFrance said that in such a situation, the commission would be “likely to require the U.K. to put laws more stringent than the Data Protection Act in place as a condition of recognizing the adequacy of the U.K.’s data privacy regime.”

Philip James, a technology partner at Sheridans in London, told Bloomberg BNA that a “sensible approach” would involve the U.K. demonstrating it has adequate privacy safeguards in place by “incorporating the GDPR into U.K. law by means of a specific U.K. statutory instrument.”

Surveillance Concerns

A future commission adequacy decision on the U.K. might be under threat on similar grounds to those that invalidated Safe Harbor. It may be difficult for the U.K. to prove that the personal data of EU citizens aren't subject to unwarranted surveillance by U.K. intelligence services.

The U.K.’s secretive Government Communications Headquarters (GCHQ) was cited by Edward Snowden, the former employee of a U.S. National Security Agency contractor who leaked information about government surveillance programs, as indulging in mass electronic surveillance.

Albrecht said that if the U.K. steps outside the European single market, its data protection regime would be “judged on all those intelligence issues.”

Snowden's disclosures and the invalidation of Safe Harbor led to an upgrading of privacy protections in the U.S. to guard against unwarranted government surveillance, Albrecht said. “I don't see that in the U.K. at the moment,” he said.

Hladjk said that pending cases before the European Court of Human Rights, which isn't an EU court, alleging that surveillance by the U.K. intelligence agencies violates privacy rights, might be taken into account in any future adequacy decision relating to the U.K.

European Economic Area

Considering the potential difficulties that the U.K. may face in earning a commission adequacy decision if it steps outside the single market, the common sense option would seem to be to stay in the single market and be subject to the GDPR, attorneys said..

Campaigners for the U.K. to leave the EU made contradictory promises about remaining in the single market. Some suggested staying in the single market while not accepting some of its basic principles, including the free movement of people.

The GDPR will apply to the EU and to three non-EU countries—Iceland, Liechtenstein and Norway—that are members of the European Free Trade Association (EFTA) and that adhere to the European Economic Area (EEA) Agreement, which extends the single market beyond the EU.

EFTA senior officer Tore Grønningsæter told Bloomberg BNA that the three countries would be required to transpose the GDPR into their national legal codes, though this could be done by a simple reference to the final text of the regulation.

EEA countries could in principle refuse to adopt an EU law, but the consequence could be suspension of single market participation and, after twenty years and about 10,000 laws from the EU, “we haven't done a single veto yet,” Grønningsæter said.

It remains unclear whether U.K. politicians would be able to tolerate such a system. The U.K. had joined the EU “principally to be a member of the single market. Why move out of that and into it again without voting rights?” Grønningsæter said.

Less Influence for U.K. Privacy Office?

Single market participation for the U.K. without EU membership would also have implications for the U.K. privacy regulator, the Information Commissioner's Office.

Kim Ellertsen, head of the legal department at the Norwegian Data Protection Authority, told Bloomberg BNA that the Norwegian DPA has only observer status in the Article 29 Working Party of EU data supervisors. The Art. 29 Working Party will be replaced by the European Data Protection Board when the GDPR takes effect.

In terms of participation in the preparation of guidance on the GDPR, for example, “we're doing things all the other DPAs are doing but at smaller scale,” Ellertsen said.

The Norwegian DPA also has little influence over frameworks such as Privacy Shield, though if the European Commission approves Privacy Shield “it will be valid in Norway through the EEA Agreement,” Ellertsen added.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Jimmy H. Koo at jkoo@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.