Post-Brexit Data Security Considerations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Brexit Data Security

U.S. companies retrieving personal data from the European Union and U.K. should expect a prolonged Brexit that takes several years to complete. But they must monitor ongoing developments to ensure that they timely implement the correct data security compliance protocols and processes, the author writes.

Kenneth K. Dort

By Kenneth K. Dort

Kenneth K. Dort is a partner at Drinker Biddle and chair of the firm's Technology Committee. He can be reached at

For U.S. Companies in the European Union

The U.K.'s decision to leave the European Union has raised numerous questions about future data protection considerations and about how to transfer personal data to the U.K. from other EU/European Economic Area (EEA) members (and from the U.K. to the U.S.). The structure of the U.K.'s post-Brexit relationship with the EU will determine whether the U.K. is legally permitted to diverge from the data protection requirements that will exist in most other western European countries.

In particular, a U.K. decision to diverge from the EU General Data Protection Regulation (GDPR) could affect U.K. business operations in the EU, as well as multinational corporations' data hubs in the U.K.—impacting the data transfer considerations facing U.S. companies operating in the U.K. and/or the EU.

Calendar of Events

The U.K.'s withdrawal from the EU will be governed by Article 50 of the Treaty of Lisbon and specifies several critical steps. The U.K. must formally notify the European Council of its intention to leave the EU and negotiate the terms of its exit with the EU. The notice triggers a two-year timeline to finalize negotiations for an agreement to replace existing treaty obligations/requirements. If the two years pass without an agreement, all treaties between the U.K. and EU would cease to apply at that time. If an agreement is reached earlier, the U.K.'s exit would occur the date of the agreement. The two-year period of negotiation can be extended by unanimous agreement of the Council and U.K..

The European Commission will be charged with negotiating the terms of the withdrawal agreement. The agreement must be approved by a qualified majority of the Council and a majority of the European Parliament. If it is classified by the EU as a “mixed agreement,” meaning that it cuts across policy areas within the preserve of the member states, then it would need to be ratified by national parliaments across the EU.

The 27 remaining EU members have conveyed a strong preference that the U.K. initiate the withdrawal process soon. Following an informal meeting of the EU heads of state of the 27 Member States on June 29, the group issued a written statement indicating that “[the U.K.'s European Council notification] should be done as quickly as possible” and “[t]here can be no negotiations of any kind before this notification has taken place.”

German Chancellor Angela Merkel subsequently reiterated that the U.K.'s notice could not be used as a delay tactic to extend the negotiating period, stating that “[t]here cannot be any informal negotiations until we get that message from the U.K.” The U.K. has selected a new Prime Minister, Theresa May, who has signaled she will not trigger Article 50 before the end of 2016. Media reports suggest that the U.K. government may delay notice until as late as fall 2017.

The EU is also updating its data protection legal framework. The existing Data Protection Directive of 1995 will be replaced by the EU General Data Protection Regulation (GDPR). Because the GDPR is directly applicable in all member states, it will standardize privacy rules across the EU when it goes into effect on May 25, 2018. If, the U.K. waits until 2017 to notify the European Council of its intent to withdraw from the EU, Brexit will not occur until after the GDPR has gone into effect in the U.K. in 2018.

Post-Brexit Relationship With the EU

The final terms of the U.K.'s Brexit negotiations will define its relationship with the EU and determine whether the country is bound under the new GDPR rules or has flexibility. The country's membership status in the European Economic Area (EEA) will be important. Noting that the U.K. government recently announced in October 2016 that it would implement the GDPR, the U.K. could consider several historic models for the new arrangement.

The ‘Norway Option.'

Under this scenario, the U.K. could choose to remain part of the EEA and would retain Single Market rights and obligations. The 31-member European Economic Area currently includes all EU Member States, Iceland, Liechtenstein and Norway (Iceland, Liechtenstein, Norway and Switzerland comprise the European Free Trade Association (EFTA)). Under the current EEA agreement, only members of the EU or EFTA can be members of the EEA, and, therefore, the U.K. would need to become a member of the EFTA to remain in the EEA. Switzerland, although a member of EFTA, is not a member of the EEA. Under the EEA Agreement, members participate fully in the Single Market but are bound by EU rules governing the so-called “four freedoms”—goods, services, labor and capital. If the U.K. were to choose the Norway Option, it would be required to incorporate the GDPR into its national laws.

For data protection purposes, EEA membership means that GDPR requirements would apply and personal data could be transferred freely to/from other EU/EEA countries. U.S.-based companies receiving data from either the EU or the U.K. would continue to operate as they do currently.

Those in the U.K. that supported Brexit would likely oppose this option because it would require the U.K. to abide by EU laws governing the free movement of workers, and the “Leave” campaign promised to control immigration from the EU. Continued membership in the EEA would mean that the U.K. is bound by EU rules without having any say in the composition of those rules. The U.K. would still be required to provide significant contributions to various EU programs. This option appears unlikely in the current U.K. political climate. Once Brexit negotiations get underway, support for this option could grow.

The ‘Switzerland Option.'

The U.K. could choose to follow the model adopted by Switzerland. The Swiss failed to ratify the EEA Agreement following a negative referendum on the matter in the early 1990s. Because Switzerland is not part of the EEA, it is not required to adopt all EU legislation relating to the “four freedoms.” Instead, relations are governed by a contractual framework consisting of roughly 20 main and 100 subsidiary bilateral agreements between Switzerland and the EU. These bilateral agreements are adopted only where Switzerland determines it is in its best interest to adapt its domestic legislation to EU law. While Switzerland formally retains internal control over its own laws, the EU exerts considerable influence by exchanging access to the Single Market for Swiss agreement to adopt EU legislation. Switzerland has taken steps to revise the Swiss Federal Act on Data Protection in order to make it compatible with the GDPR.

If the U.K. were to follow this model, it could amend the U.K. Data Protection Act (DPA) of 1998—the current law passed pursuant to the EU Data Protection Directive—or implement new legislation reflecting GDPR requirements. For purposes of enabling U.K. businesses to freely receive personal data from organizations in the EU/EEA, the U.K. would need to undergo a European Commission adequacy assessment to determine whether its domestic data protection law is equivalent to EU standards.

The U.K. would still retain the flexibility under this option to diverge from GDPR requirements, but it would need to carefully weigh the potential risks and benefits of doing so. With GDPR coming into effect in May 2018, U.K. businesses will have already put in place GDPR compliance programs and infrastructure by the time of the U.K. withdrawal from the EU in 2019. Deviation from GDPR requirements could impair the U.K.'s efforts to receive an adequacy determination from the European Commission. Moreover, U.K. businesses that offer goods or services to EU residents will need to comply with the GDPR with respect to those transactions. Therefore, divergence from the GDPR seems unlikely.

It's also important to understand that even if the U.K. does amend the Data Protection Act to bring it into alignment with the GDPR, this doesn't guarantee it will receive an adequacy determination. In conducting an adequacy assessment, the Commission will look at data protection requirements applicable to both public and private sector bodies and, as evidenced by the recent and lengthy U.S.-EU Safe Harbor/Privacy Shield negotiations, might carefully examine the government's ability to access personal data transferred from the EU. U.K. surveillance laws might receive closer scrutiny for alignment with EU data protection principles than they have in the past.

Although this option would allow the U.K. greater flexibility than would EEA membership, it raises a few challenges. Like the Swiss, the U.K. would need to regularly renegotiate or adapt the applicable agreements to keep up with new EU requirements. The EU is increasingly dissatisfied with the Swiss approach and may not be amenable to a U.K. version of this arrangement. The EU sees the current Swiss arrangement as complex and ad hoc, and there are concerns about the fact that, unlike the EEA, there is no established body for resolving disputes as to implementation and interpretation of the applicable agreements. Immigration from the EU may still be an issue, as demonstrated by recent Swiss-EU talks during which the EU has threatened to restrict Swiss access to the Single Market if the country proceeds with plans to impose controls on the free movement of EU citizens.

Although some variation of the Switzerland Option currently appears probable, the EU is likely to insist on certain changes that would bring it closer to the EEA model. This might include requiring the U.K. to adopt EU legislation in certain areas within a defined time period and the establishment of a body to address disputes. Negotiations concerning the free movement of people are likely to be central to the ability to reach agreement.

Options for Companies—Best and Worst Cases

Should the U.K. withdraw from both the EU and EEA and, in the worst case, fail to receive a data protection adequacy determination, transfers of personal data from the EU to the U.K. would become more difficult and other legal mechanisms would need to be relied upon. Options for companies would include:

Model Contractual Clauses : Companies can use certain standard contractual clauses issued by the European Commission to transfer personal data to non-adequate countries. However, the clauses are rigid, and can be time-consuming and expensive to execute with every legal entity with which data is exchanged. In response to a complaint concerning transfers of personal data from the EU to the U.S. pursuant to the contractual clauses, Ireland's Office of the Data Protection Commissioner recently announced its intention to “seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under [the] Standard Contractual Clauses.”

Binding Corporate Rules : Companies may implement a set of internal, binding rules based upon approved European data protection standards. However, obtaining approval of BCRs can be a difficult, expensive and time-consuming process. Moreover, this mechanism only covers intra-company data transfers.

Consent : Explicit consent can be relied upon in certain situations. To be valid, the consent must be founded upon “a statement or a clear affirmative action” for cross-border data transfers that is “freely given, specific, informed, and unambiguous.” The consent must clearly state that the individual's personal data will be transferred to jurisdictions not deemed to provide adequate data protection. Consent is not valid where there is an imbalance in the relationship between the individual and data controller (e.g., employer-employee situations).

Certification Mechanisms : Once the GDPR goes into effect, companies will be able to use approved certifications, seals, and marks to demonstrate that they comply with EU data protection standards. This mechanism will need to be further elaborated upon by the new European Data Protection Board. It may involve a common European Data Protection Seal and a publicly available directory with information about certification registrants.

Industry Codes of Conduct : Under the GDPR, self-regulatory industry codes of conduct can be used to transfer personal data. These codes of conduct must be submitted to the appropriate supervisory authority for approval.

As for transfers to the U.S. from the U.K., the Privacy Shield framework now in place would likely be accepted by the U.K.. Additionally, transfers from the remaining members of the EU to the U.S. would proceed as they currently do.

In the likely event of the U.K.'s implementation of the GDPR and its remaining in the EEA, plus its receipt of an “adequacy” decision from the EU Commission, the options for companies simplify greatly:

  •  first, transfers from the U.K. to the U.S. will likely proceed as noted;
  •  second, transfers from the EU to the U.S. will remain as currently conducted with no change; or
  •  third, transfers from the EU to the U.K. will likely proceed as now conducted with the U.K. as part of the EU.

U.S. companies retrieving personal data from the EU and the U.K. should expect a prolonged exit process that will take several years to complete. While data security and privacy are unlikely to be considered top priorities in the U.K.'s overall exit negotiations, U.S. companies must monitor developments as they occur and be able to respond appropriately as needed by implementing the correct protocols and processes so as to comply with applicable laws and regulations.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security