Following the United Kingdom’s nonbinding vote to leave the European Union (“Brexit”), what do businesses need to consider for data privacy compliance?
Being part of the European Union has meant that UK businesses are subject to numerous data protection laws. The United Kingdom has enacted most of its data protection laws, such as the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003, to implement European directives. Additionally, businesses in the United Kingdom are also directly subject to European regulations, such as the Data Breach Notification Regulations 2013, the Clinical Trials Regulations 2014, and the European Commission (the Commission) decisions regarding transfers of personal data outside the European Union as these apply across it without the need for the UK government to pass domestic legislation. Finally, the European Parliament has reached a final agreement on the new General Data Protection Regulation (GDPR). The GDPR will take effect in May 2018 and will apply directly to any business that provides goods or services in Europe or that has European operations. This will include any business within the European Union as well as those outside it.
Following the referendum decision to leave the European Union, many are wondering what Brexit will mean for UK businesses. When the new prime minister elects to invoke Article 50 of the Lisbon Treaty, triggering an exit from the European Union, trade negotiations will commence to secure the United Kingdom’s ability to trade with the remainder of the European Union as a single market.
Existing domestic legislation would remain in effect unless and until the government changes it. This means that businesses in the United Kingdom would continue to be subject to the Data Protection Act 1998. The Information Commissioner’s Office (ICO) would remain as the data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for noncompliance. Businesses based only in the United Kingdom would not be subject to European data protection legislation, such as the above listed regulations, which have direct effect in Europe or to Commission decisions on, for example, cross-border data transfers (see below). The ICO has announced that UK data protection standards will need to be equivalent to those in the GDPR if the United Kingdom wants to trade with the European single market post-Brexit.
To date, the UK courts and the ICO have adopted a relatively pro-business approach, in contrast to some of the United Kingdom’s continental cousins. For example, the concept of consent has been strictly interpreted throughout the continent, but in the United Kingdom, “deemed consent” is valid, except in relation to sensitive personal data.
Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. Therefore, it seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the United Kingdom, thereby undermining consumer confidence in UK businesses and potentially exposing them to increased data security breaches.
UK businesses with European operations or that otherwise have servers in Europe or that engage processors in Europe will continue to be subject to the data protection laws of those European countries in relation to the European aspects of their business. Additionally, any UK business that offers goods or services to European consumers or that has a website that is accessible in Europe will need to comply with the GDPR and the relevant European laws implementing the Privacy and Electronic Communications Directive in the country where the users are based.
Most UK businesses will almost certainly need to transfer personal data to Europe and other countries outside the European Union, such as the United States. Currently, while the United Kingdom remains part of the European Union, there are restrictions against transferring personal data outside it without consent from the individual, other than to certain “adequate” countries (such as Canada or Switzerland), or unless the business has in place a legally permissible mechanism (such as model clauses or binding corporate rules). If the United Kingdom leaves Europe, the UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the United Kingdom will need to decide if it will adopt a similar model for data transfers from the United Kingdom to the United States if the current restriction on such data transfers is retained.
Additionally, the United Kingdom is likely to apply to the Commission for a decision of “adequacy,” which allows European countries to transfer personal data to the United Kingdom. This will, of course, depend on whether the government has passed laws that differ from the current DPA and whether the Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective, which seems likely. In such an event, in 2018 post-Brexit, the United Kingdom, like other currently “adequate” countries, will need to apply for adequacy status with the Commission.
The DPA does not have a mandatory data breach reporting obligation. The GDPR, however, does include a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of a breach and without undue delay and, in certain circumstances, the individuals affected by the breach. The government will, therefore, need to decide if it will pass a data breach notification law, either similar to the strict GDPR requirement or one adapted to an approach of pro-business legal requirements.
Although the United Kingdom was one of the dissenting voices in negotiations about the GDPR and was particularly vocal about the onerous effect on UK businesses, it seems unlikely that the United Kingdom will reduce the extent of data protection obligations on UK businesses. To do so would necessarily reduce the current level of data privacy protections afforded to individuals. It will be interesting to see how cross-border issues such as data transfers and data breach notification requirements will apply post-Brexit. The United Kingdom is unlikely to want to be seen as being out-of-step with the rest of Europe, which will, to a large extent, remain the biggest UK trading partner. The potential alternatives are that the United Kingdom becomes a member of the European Economic Area, such as Norway or Iceland, which would enact many laws similar to European laws, or that it becomes a separate member of the single market, such as Switzerland. Both alternatives mean that the United Kingdom will need to amend the DPA or pass new laws similar to the GDPR.
For more than three decades, Morgan Lewis has represented companies and institutions doing business in the United Kingdom and globally. Our Brexit team of lawyers have been advising clients on a variety of legal issues in the run up to the decision and are assessing the complex short- and long-term implications of the June 23 vote. Our Brexit Resource Centre will continue to provide guidance on the legal and business implications of the United Kingdom’s decision to leave the union. To view this alert and others, and to gain immediate access to our most recent guidance on Brexit, please visit the Brexit Resource Centre. In addition, please feel free to speak to your usual contact at Morgan Lewis or to contact any one of the Brexit Team via Brexit@morganlewis.com.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Mark L. Krotoski
W. Reece Hirsch
Gregory T. Parks