Brexit: Potential Impacts to Data Privacy and Technology Firms

Background:

In the referendum on June 23 with voter turnout exceeding 70%, voters in the UK decided 52% to 48% to leave the European Union.  The exit of the UK from the EU has been coined Brexit (Britain and exit).  Under the EU, a member may exit subject to Article 50 of the Lisbon Treaty which gives the UK and the EU two years to negotiate the terms of the UK’s exit.[i]

Data Protection and Brexit

Throughout the near-term and until the UK effectuates its exit from the EU, the UK will continue to operate under existing EU laws and the new General Data Protection Regulation (“GPDR”) with mandatory compliance by June 2018 will shape the way that UK firms handle personal data.[ii]  Consequently, it is anticipated that UK firms will be required to implement the GPDR policies concerning the protection of data for EU citizens.  This is echoed by the new Information Commissioner for the UK, Elizabeth Denham.  Denham openly advocates for the UK to move forward with the new GPDR regulations irrespective of the impending Brexit.[iii]  Consequently, in many respects technology firms in the UK have some assurance that the UK will move forward with GPDR, however, there is still some risk.  As Brexit follows closely on the heels of the European Court of Justice’s ruling that the EU/US safe-harbor agreement was invalid due to in large part to the lack of data privacy protections for EU citizens.[iv]  Which is interesting to note since Britain and Ireland were both largely supportive of the Safe Harbor agreement; whereas France and Germany had been pushing for more stringent privacy controls to safeguard their citizens’ data.[v]  Consequently, it would seem that while the replacement for Safe Harbor is being negotiated the UK will likely have a very keen interest in both the direction as well as the outcome since it often finds itself closely aligned with its ally across the Atlantic.

General Data Protection Regulation

The GPDR changes a number of things, the highlights are as follows: Personal data is expanded to include IP addresses and online identifiers and companies must have explicit consent to use this data.  Furthermore, citizens will be more readily able to ascertain which companies are storing their data, and how their data is being used.  GPDR also introduces the concept of data portability which allows a person to migrate their data between and amongst companies.  This also includes a duty for companies to advise when personal data is exposed (hacked) and upon request, personal data must be deleted.  Along with duties comes liability and companies that suffer data breaches can face fines of up to €20 million.[vi]

EU-US Privacy Shield

Following the ruling against the existing safe harbor agreement, the US and EU put together what is being termed as the Privacy Shield.  Under the Privacy Shield proposed framework, any US company that receives personal data from the EU must choose from one of the following cross-border transfer mechanisms: (1) typical contractual clauses, (2) binding corporate rules (e.g. intercompany/affiliate data transfers), or (3) the Privacy Shield framework.[vii]  Similarly, any EU company that transfers data to a US company must ensure that one of the three aforementioned schemes are utilized prior to a data transfer.  Any transfers conducted outside these mechanisms would be deemed illegal.  The Privacy Shield itself has several critical elements:

  • Contractual requirements for onward transfers of personal data to third parties: companies that transfer personal data to any third party must have specific contract provisions mandating that safeguards continue to persist for personal data even after the transfer and that the transferor retains control over the third parties use of the personal data;
  • Right to Modify Personal Data: the data owner has a persistent right to correct, amend, or delete inaccurate personal data or personal data that has been accessed in an unauthorized manner; further companies may not charge excessive fees when a user exercises their rights within this;
  • Persistent Contractual Obligations: under this, any downstream party (e.g. recipient) of data must adhere to all of the principles and rights afforded a person with respect to their personal data;
  • Opt-Out Rights: where personal data is either disclosed to a third party or when the data’s use is for a materially different purpose than the original agreement, the subject has an option to opt-out (to include modifying use for direct marketing purposes);
  • Dispute Resolution: there are a very specific set of steps and avenues for redress that may be pursued when a citizen asserts that a violation of the Privacy Shield has occurred;
  • Ongoing Compliance Monitoring: the US Dept. of Commerce is tasked with continuous monitoring to ensure that there is full compliance amongst US companies with the Privacy Shield provisions;
  • Restrictions on Bulk Collection: this was one of the leading criticisms of the EU-US Safe Harbor agreement following the revelations by Edward Snowden. Within this, bulk collection is expressly forbidden except in cases where selective collection is impractical and even in those outliers, minimization procedures must be effected to ensure that access to data is for specific purposes only;
  • Establishment of a Privacy Shield Ombudsman: this role will be filled by a person designated by the Secretary of State and will utilize additional State Department personnel as needed to ensure that this role is carried out in the absence of any influence or involvement by the Intelligence Community;
  • Annual Periodic Reporting and Assessment: data protection authorities from both the EU and US Dept. of Commerce will conduct periodic, annual reviews of the Privacy Shield framework to ensure compliance and to assess and advise of changes that should be implemented.[viii]

What path will the UK take?

Based on the fact that Brexit is going to take a minimum of two years, it seems as though the UK will have no choice but to comply with the GPDR regulations that take effect in 2018.  Having done so, it seems that moving away from those and trying to adopt an agreement such as the Privacy Shield would result in a cost benefit analysis for which the most efficient solution may likely be to merely continue under the GPDR.  However, as the UK continues to assert independence from the concept of the EU, it may need to find and validate a competitive advantage which could potentially be achieved by moving away from the GPDR and into the Privacy Shield framework.  While the negotiations are just entering their nascent stage, it will be important for EU and UK privacy interests that the terms of the GPDR or a Privacy Shield like agreement be fully ironed out.  Once outside the UK for example, the Data Protection Act would no longer denote the UK as a “safe” destination for data since the UK would be external to the European Economic Area.  Thus, either the negotiations under which the UK leaves the EU will have to include some of these provisions or the UK could be folded into or create its own Privacy Shield framework within which it could continue to operate.[ix]

Conclusion

Irrespective of the approach that the UK takes; it seems clear that data protection is going to be a topic of interest during the negotiations and citizens and companies will have a vested interest in the outcome.  Depending on how this moves and on what is implemented, companies in the UK may be merely on a level playing field with EU companies or they may be able to bargain for a comparatively better position which affords UK companies the ability to differentiate themselves either from a cost or a services perspective.  Meanwhile, the UK’s slow shift towards some of the US philosophies and their support for the previous Safe Harbor agreement may indicate that the UK is interested in adopting or becoming a partner in the new Privacy Shield agreement.  The last thing the UK wants is a competitive disadvantage and depending upon how they position themselves and on what other options are “on the table” will ultimately decide which way the UK chooses to move forward.

 

[i] Brian Wheeler and Alex Hunt, Brexit: All you need to know about the UK leaving the EU, BBCNews, available at http://www.bbc.com/news/uk-politics-32810887 (Oct. 3, 2016) (The two-year time period begins once Article 50 is invoked and negotiations start).

[ii] Nick Heath, Brexit: 5 Ways the UK leaving the EU will affect tech firms, TechRepublic, available at http://www.techrepublic.com/article/brexit-5-ways-the-uk-leaving-the-eu-will-affect-tech-firmsect-tech-firms/ (Jun 24, 2016).

[iii] Adrian O’Connell, Information Commissioner calls for post-Brexit Britain to implement EU data rules, Irish Legal News, available at http://www.irishlegal.com/5462/information-commissioner-calls-for-post-brexit-britain-to-implement-eu-data-rules/ (Oct. 3, 2016).

[iv] Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, The New York Times, available at http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0 (Oct. 6, 2015).

[v] Id.

[vi] Joe Curtis, EU Passes GPDR laws that require companies to drastically improve their data privacy policies, ITPro, available at http://www.itpro.co.uk/data-protection/26365/your-business-must-prepare-today-for-2018-eu-data-protection-laws (Apr., 15, 2016).

[vii] Chanley T. Howell, et al., Safe Harbor Replacement EU-US Privacy Shield Approved, The National Law Review, available at http://www.natlawreview.com/article/safe-harbor-replacement-eu-us-privacy-shield-approved (Jul., 12, 2016).

[viii] Id.

[ix] Toni Vitale, Brexit and Data Protection – Q&A, Lexology, available at http://www.lexology.com/library/detail.aspx?g=45fa1c0a-54c4-465e-a752-c27a80a6736a (Jun., 30, 2016).

Tags: , ,

Leave a Reply

You must be logged in to post a comment.

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. She is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories