The technology and cybersecurity community grapples with the many issues related to, data privacy as a daily diet. In an ever evolving and converging digital economy, personal data is a key issue, especially at a time when new legislations and regulations in Europe are being adopted to take stock of the latest tech innovations and improve the protection of consumer and employee data processed by companies.
With the EU referendum vote looming in the UK, now is a particularly charged time, – particularly when it comes to the uncertainty surrounding changes to data protection law.
The current Data Protection and cyber security landscape
The EU freshly adopted last month a new data protection framework for its Member States in the form of the General Data Protection Regulation (GDPR). Replacing the Data Protection Directive from 1995, the GDPR which provides a unified approach to data protection rules will effectively only be directly applicable in all Member States as of the 25th May 2018 after a two-year transition period.
Following suit, the Directive on network and information security (NIS Directive) which aims to level the playing field for key internet companies and infrastructure operators by introducing harmonised rules to apply in all EU countries is expected to enter into force in August 2016. Member States will be given twenty one months until May 2018 to implement changes to national law.
Finally, the e-Privacy Directive is currently under review with the long-awaited public consultation launched on 11th April 2016. This Directive complements the existing data protection regime and sets out more-specific privacy rights on electronic communications service and network providers.
However, it now needs to be amended to ensure inter alia consistency with the privacy rules under the GDPR.
Uncertainty exists around how data protection laws will apply should the UK decide to leave the EU. The UK already has its own legislation in the form of the Data Protection Act 1998 (DPA). This Act implements the 1995 EU Data Protection Directive.
From a historical point of view, the EU Commission and the UK have had a fractious relationship on data protection issues as the UK never fully implemented the Directive in the eyes of the Commission.
In fact, the Commission has been regularly threatening to bring infraction proceedings against the UK over the years. This situation has not improved, with the Snowden affair shedding light on mass surveillance practices within the UK.
It is interesting to note that the Information Commissioner’s Office has actually made a statement in relation to Brexit. The ICO has emphasised the need to continue to have clear and effective data protection laws, whether or not the UK remains part of the EU.
Having clear laws with safeguards in place is a central tenet in ensuring the security of shared data which international trade relies on. For tech companies, this is key as it will likely impact European-wide data harvesting.
What will happen in case of Brexit?
The landscape of data protection law post-exit will depend on the choices the UK will make but it is also important to stress that any changes will not happen instantly. For the EU exit process, a Member State must give the European Council at least two years’ notice of its intention to leave and a withdrawal agreement will need to be negotiated with the Union, taking account of the framework for its future relationship with the Union.
Given this two-year notice period, it is likely that the exit process and the implementation of GDPR and the NIS Directive may run in parallel.
Currently, there are two scenarios that will arise from this:
If the GDPR comes into force before the exit, the DPA can be repealed and the GDPR will have direct effect in the UK.
If the GDPR is not yet in force at the time the UK exits the EU. This means that the data protection regime in place will depend on the UK government’s choices. Either the UK exit option requires the adoption of EU laws as part of the single market, or the UK exit does not require adopting EU laws leaving the UK with no other option than to reintroduce its own Data Protection legislation.
This latter scenario is of primary interest as the UK may be tempted to actually adopt a more business friendly GDPR. Indeed, the UK has expressed strong reservations against the most onerous provisions of the GDPR.
Of particular concern have been, the level of the new fines, the obligation to employ data protection officers and the way the right to be forgotten and the one stop shop approach will need to be implemented.
However, it’s important to bear in mind that whether the UK chooses to leave or to remain part of the EU, the GDPR rules will be applicable to all UK businesses.
This is due to the fact that the GDPR has an extraterritorial effect applying not only to all organisations established in the EU that process personal data and to any organisation established outside the EU which offer goods or services in the EU or which monitor the behaviour of EU data subjects.
Concretely, this means that UK businesses may be subject to fines representing up to 4% of their annual global turnover or 20 million euros. They will need to implement requests made in the name of the right to be forgotten and having to appoint a data protection officer.
Data owners will also have to move away from the current system whereby each data protection authority is responsible for its data controllers and migrate to a one stop shop system which grants main responsibility to a leading authority linked to the main establishment of the data controller or the data processor.
It remains to be seen as well whether the UK will favour the adoption of some legislation compliant with the NIS Directive even if not bound by it, solely in the interest of facilitating trade with EU partners.
European data transfers
One of the most sensitive data protection issues is what will happen to data transfers from EU countries to the UK.
There are two main options to consider in the event of a Brexit. Firstly, the UK exits the EU but chooses to remain part of the European Economic Area (EEA). This would mean that the EU/UK data flows will be subject to all applicable EU Data Protection rules, including the GDPR, as the EEA is effectively an area of 'free movement of personal data.'
The second option is a little bit more of a ‘Pandora’s Box’. If the UK exits the EU but does not choose to be part of the EEA, then it may seek confirmation from the European Commission that it provides 'adequate protection.'
Just like any other country, the UK may apply for an 'Adequacy Decision' from the Commission and join a restricted list of countries offering adequate protection for data transfers to the UK (this list currently includes Canada, Israel, Argentina or Switzerland for example). Although this looks like a safe path, it may not be granted that easily given the history of the relationship between the UK and the EU.
It is fair to say that the legal basis for data protection rules may change in the case of a Brexit. However, technology businesses should be most aware of how these changes will impact trade and it would be prudent to abide by the GDPR if doing business in Europe.
Sourced from Dr Nathalie Moreno, partner Brands and IP, Commercial and Data Privacy, Lewis Silkin LLP