By Daniel L. Farris
As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.
There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.
There is little or no immediate impact on US-UK data transfer standards or compliance obligations. Though focus has been on the Data Protection Directive since last fall, when the CJEU invalidated Safe Harbor in the Schrems decision, the true source of law for US-UK data transfers is the UK Data Protection Act of 1998. The DPA incorporates and even expands upon the Directive’s data protection principles. And the Brexit vote is not an exit. Until the UK actually negotiates its exit from the EU, it remains a member of the Union and subject to EU regulations.
The EEA Option and GDPR
Even in a post-Brexit world, the UK may elect to remain a member of the European Economic Area, which would allow the UK to engage in free trade with EU member states, provided that the UK subjects itself to EU laws. A decision to remain in the EEA would mean the eventual application of the GDPR to the UK, as was planned prior to the Brexit vote.
Fully Independent UK
Should the UK ultimately exit both the EU and EEA without taking further action on Data Protection laws, it would likely become a “third country” for Directive and GDPR purposes, as the US is now. In such a case, data transfer to the UK might be restricted unless the EU determines that the UK provides adequate levels of protection for personal data, a la Switzerland, Canada, and Israel. Restriction on EU-UK data transmissions seem unlikely, however, as the DPA is currently one of the more comprehensive and stricter data protection regulations in Europe, and the UK has already begun working towards eventual adoption of the GDPR.
FieldFisher, a leading European privacy firm, also speculates that the UK may consider the adoption of a “GDPR-lite” type law, though such a decision may prove perilous.
Ultimately, the best course for US companies is to take something of a wait and see approach to the Brexit, and continue to work towards GDPR compliance more generally. For assistance in understanding how the Brexit, Privacy Shield, or GDPR may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security Team member.