As part of the European Union, the UK currently benefits from harmonized trading rules across the European Economic Area (EEA) – the 28 EU countries plus Norway, Iceland and Liechtenstein.
The basis of the internal market is the four fundamental freedoms of movement of goods, services, capital and labour. The current 1995 EU Data Protection Directive harmonised the various national laws on data protection across member states.
The free flow of data between member states was – and remains – necessary to ensure the free movement of goods, persons, services and capital.
A principal objective of the Directive was to remove any barriers to such movement in the face of advancing technology which was resulting in easier and more fluid movement of data.
In addition, the closer integration, both economic and social, that was the result of the internal market, meant that increased data was flowing between the member states.
This added to the need for consistency across national laws in order to facilitate cross-border cooperation and competition.
EU data protection laws are now going through a further process of harmonisation through the introduction of the General Data Protection Regulation (GDPR).
Should the UK leave the EU following the Brexit referendum, would it benefit from being free of the requirements of the GDPR?
One of the key principles of EU data protection law provides that personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of their personal data.
Should the UK withdraw from the EU, companies receiving personal data from EU member states would need to demonstrate to the European Commission that UK law provides an adequate level of protection through its domestic laws or international commitments. This is no easy task.
Adequacy decisions made by the European Commission can either apply to the country itself (for example as is the case with Switzerland, New Zealand and Israel, and a further handful of ‘whitelisted’ countries) or to particular sectors or administrations (for example Canadian companies subject to the PIPED Act and those in the U.S. previously governed by the Safe Harbour principle).
It can take several years for adequacy decisions to be made and therefore, as in many other areas, the UK would be in an uncertain state following a Brexit.
Establishing that the UK’s data protection legislation offers an adequate or equivalent level of protection of personal data that is afforded by the EU to individuals on transfer of their data is a high threshold.
The US-EU Safe Harbour scheme also provided a level of protection for companies which transferred data from the EU to the US.
This scheme was invalidated in October 2015 by a landmark decision of the Court of Justice of the European Union which held that there were inadequate levels of protection for personal data under US law for personal data transferred from the EU.
This has resulted in intense negotiations for a replacement, the Privacy Shield, which gives a foretaste of the issues that the UK would face in implementing an equivalent scheme for transfers from the EU to the UK.
The scheme is now subject to a somewhat complex approval process. Two opinions of European privacy regulators issued in recent months highlight the fact that the Privacy Shield does not adequately reflect some of the key EU data privacy principles, such as limits on data retention and rights to object to decision-making based purely on automated processes.
In particular, the European Data Protection Supervisor’s report issued last month highlighted the fact that the Privacy Shield did not incorporate new principles and safeguards introduced by the GDPR and that it was unreasonable to expect companies to constantly change compliance models.
All this points to the fact that if the UK were to negotiate a similar scheme with the EU, following a Brexit, it would need to comply with essentially equivalent standards to those in the EU if it were to benefit from cross-border transfers of personal data from the EU which are essential for carrying on many businesses.
The GDPR is a radical overhaul of data privacy laws which may result in a reduction in some of the compliance obligations for international businesses that will now only have to comply with one set of rules rather than the panoply of rules in the 28 Member States.
The Vote Leave campaign website cites a cut in red tape as one of the reasons for exit: it claims that only 5% of British businesses export to the EU but that 100% suffer the burden of red tape.
Data protection compliance obligations are not specifically mentioned and it has yet to become a headline issue. One ‘red tape’ requirement – the obligation to register as a data controller, which both the Vote Leave and Britain Stronger in Europe have duly complied with – is being dispensed with under the GDPR.
However, it is replaced by detailed record keeping obligations, which are already a feature of some EU member states, such as Germany. While the GDPR potentially simplifies compliance, it introduces a number of key changes and new rights.
For example, companies which carry out activities requiring regular and systematic monitoring of data subjects on a large scale will be required to appoint a data protection officer (DPO).
This will help some companies to comply with the new regulations and ease internal procedures (some UK businesses already choose to appoint a DPO). However, it reflects the increased time and resources companies will be expected to dedicate to this issue.
The GDPR also introduces some key new rights for data subjects which may result in an increased burden on data controllers.
For example, stricter rules on data retention and minimisation, giving data subjects the right to request deletion of their personal data in certain circumstances (for example when it is no longer necessary for the purpose for which it was initially collected, or where the individual themselves simply withdraws consent).
Such requests must lead to the deletion of all personal data relating to the individual making the request, and could therefore lead to a substantial compliance burden on the employer.
These are reasonably significant compliance burdens. However, if a structured solution for data transfers is not implemented, companies wishing to transfer personal data to third countries outside of the EU would be required to rely on other, potentially far more burdensome, mechanisms – principally EU Standard Contractual Clauses for the transfers of personal data.
Anyone who regularly advised international businesses on data transfers from the EU will attest to the fact that model data transfer clauses are administratively cumbersome and are precisely the form of red tape that most businesses would want to avoid.
Yet, in the absence of a comprehensive scheme for data transfers, this would be the only viable practical option for UK companies, post Brexit, who need to receive personal data from EU affiliates or counterparties.
Many UK companies operating across a number of jurisdictions may well continue to adhere to the Data Protection Directive and adopt the new standards set by the GDPR.
A single set of rules is attractive both in terms of managing consistency of internal compliance and providing a consistent message to consumers and contractual counterparties on the way in which personal data is handled.
Moreover, the global trend is towards higher levels of protection for personal data and many multinational companies are, in practice, obliged to adopt the high baseline standard that EU law requires.
Any marginal reductions in administrative obligations are likely to be significantly offset by the additional complexities resulting from Brexit.
Sourced from Huw Beverley-Smith, partner, London office, Faegre Baker Daniels