If Britain chooses to leave the EU in the referendum on 23 June, the full exit process could take as little as two years.
Businesses are understandably caught in a state of flux currently as uncertainty is everywhere. But when it comes to data, and especially data security, there are a few points they can be reasonably certain of.
Firstly, the requirements of the new EU general data protection regulation (GDPR) due to be implemented imminently will still apply in some guise.
Secondly, issues of access to the European general public’s sensitive data when shared with America – as brought about by the Safe Harbour ruling and recently negotiated Privacy Shield – are not going to disappear.
The question is: if UK businesses are not governed by the EU, will they still have to abide by its laws?
A key argument for the Leave campaign to date has been that if the UK leaves the EU it will not have to abide by EU laws, but the GDPR has a much further reach than its directive predecessor.
The GDPR will apply to all businesses dealing with other companies or individuals within the EU. Britain and the EU are linked by much more than a two-year exit strategy would have you believe.
Under the GDPR, companies operating in or holding data in EU countries will be subject to fines of up to 4% of global turnover.
They will have to develop ‘privacy by design’ provisions, ensure they are adopting measures to protect data right from the start of a client engagement, and comply with requests to erase personal data.
Meanwhile, they will not be able to transfer data outside the EU without approval from the relevant supervisory body, and must gain explicit consent for all collection and processing of data.
Following a break from the EU, the UK could exercise various options when it comes to ensuring that trade and the free flow of data can take place.
It could join the European Economic Area (EEA) or the European Free Trade Association, and it could negotiate a series of bilateral trade agreements with individual or groups of countries within the EU.
Or (and this is only to cover all bases), it could choose not to trade within the EU anymore at all. Assuming that no man, or indeed a country, is an island (at least economically), it is fair to assume that in some way, the UK will continue to trade with the EU.
If the UK joins the EEA, under current data protection law businesses cannot share personal information concerning their employees, customers and suppliers outside the EEA unless the protection provided outside of the EEA is of an adequate nature.
Britain may be afforded the same status as other European countries such as Norway and Iceland. This would mean it would be designated a ‘safe area’ under the GDPR.
However, this would mean that the UK would still be subject to the Data Protection Directive and, from May 2018, the GDPR.
In business terms, this would make data transfers somewhat easier, assuming the EU found the UK’s safeguards to be appropriate, but they would still have to comply with the GDPR.
The downside is not insignificant for those supporting Brexit – being a member of the EEA requires the adoption of a large percentage of EU law.
Chocolate, army knives and trade agreements
The second and perhaps more viable solution is to adopt the Swiss model whereby the UK will negotiate a series of bilateral trading agreements.
To follow this model successfully, the UK would have to be recognised as an ’approved country’ – i.e. a country secure enough to share data with.
The UK will not necessarily receive automatic recognition as an approved country by the EU. The UK’s Data Protection Act 1998 has undergone close scrutiny, and in its current form the UK’s data protection legislation is viewed by some as ‘a soft touch’ and may need to be revised for it to gain EU approval.
The result could be the UK having to adopt the new GDPR or at least adjusting its own data protection legislation in a similar way.
Unfortunately, the problems associated with the aftermath of the Safe Harbour ruling are far from resolved. The Privacy Shield is not necessarily the solution or answer to the problems raised after the Safe Harbour was held to be invalid by the European Court of Justice in 2015.
The underlying principle appears to be that the legal and regulatory framework in the US is still not aligned closely enough with the EU when it comes to the processing or storage of EU citizens’ data – the most significant difference being the right of bulk and indiscriminate collection of data by US government authorities.
In the EU, especially with the passing of the new General Data Protection Regulation, there will be an even stronger focus on the right of the data subject or individual.
For example, owners of data will have the right to be forgotten; individuals will have the right to move their data from one service provider to another; individuals will be able to withdraw consent in respect of the processing of their personal data; and privacy notices will need to be much more clearly drafted.
Of course, the security of the data at all times must be adequate taking into account the risks it could be exposed to.
What appeared to be progress on transatlantic data flows with the unveiling of the Privacy Shield has been tempered by the Article 29 working party voicing concerns that the Privacy Shield still allows surveillance of EU citizens.
Should the UK leave the EU, it is likely the Article 29 Working Party will be just as strict with the UK as it has been with the US. For businesses, this would mean they would be subject to similar terms to the US.
For example, an ombudsman will have to handle complaints from EU citizens about the UK security services accessing their data; UK security services and the Home Office will have to provide written commitments that Europeans’ personal data will not be subject to mass surveillance; and agreement will be required to an annual review or audit to check the new system is working properly.
The working party also raised concerns about the strength of the US ombudsman when it comes to dealing with EU citizens’ complaints.
Given this situation, local data storage in the EU may be the only viable option for CIOs looking for a Safe Harbour work around.
This would avoid the risk of failing to comply with EU data protection laws that expose businesses to fines of up to 4% of annual turnover, a significant rise from the current £500,000 fine under the Data Protection Act 1998.
However the UK handles the next evolution of its data protection laws – be it the next iteration of the Data Protection Act as a country outside the EU or still an EU member state obliged to ratify the GDPR – the impact on businesses will be very similar.
Data protection issues transcend Brexit and are just an example of how interlinked the UK and the EU will remain.
Sourced from Phil Bridge, MD, Western Europe, data and storage technologies, Kroll Ontrack