dc975 - Fotolia
The Brexit vote has complicated the data protection and privacy landscape and caused uncertainty, according to Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells.
An adequacy ruling would be the easiest option for ensuring unimpeded data flows between the UK and EU post-Brexit, but despite the UK government’s efforts to align domestic data protection with the EU’s General Data Protection Regulation (GDPR), it may not be plain sailing, he told the IAPP Data Protection Intensive conference in London.
However, he said one “helpful certainty in a world of uncertainty” is that for the foreseeable future, data protection in the UK means the GDPR, which is “good news from a decision making perspective” because “no matter what shape Brexit takes,” data protection law in the UK will look like the GDPR
Although the UK government has been criticised for not having a variety of plans for Brexit, Ustaran said there has always been a plan for data protection. This was set out in a paper on the exchange and protection of personal data in August 2017, and followed up by the announcement of new data protection legislation the following month.
Even though the UK government was facing the “biggest policy, regulatory and economic change of generations”, he said it is “pretty impressive” that the government added to the list of work a new data protection Act.
The new legislation, said Ustaran, has been driven by British practicality around data exchanges with Europe post-Brexit. “The UK was the first country to transcribe into local law in the 1998 Data Protection Act the EU’s 1995 Data Protection Directive, and will be the first to implement the GDPR,” he said, with almost 100% certainty that the new Data Protection Act will be signed into law by 25 May 2018.
Describing the 7-part Data Protection Bill as “super complex”, Ustaran said the 318-page document is closely aligned with EU data protection, with 750 references to the GDPR.
Read more about GDPR
However, despite the best laid plans of the UK government, the European Commission issued a Notice to Stakeholders in January 2018, which Ustaran said was a warning shot by the EC that an adequacy ruling is not guaranteed and that the UK must not be complacent.
“This document means that for the time being the whole issue of data exchanges between the UK and the EU is up in the air,” he said.
The document outlines several options that companies should consider to ensure uninterrupted data flows between the UK and the EU post Brexit in the absence of an adequacy ruling or equivalent arrangement negotiated as part of the final Brexit agreement. Although not without challenges, Ustaran said that binding corporate rules (BCRs) at present look like the best contingency for companies.
For the UK government, he said, indications are that it should start thinking along the lines of establishing its own Privacy Shield type agreement with the US, but will have to do it in a way that does not jeopardise its chances of achieving some sort of adequacy ruling from the EU.
According to Ustaran, there are two likely outcomes. First, the best case scenario would be a UK-EU partnership agreement that covers data protection and includes an adequacy ruling or something like it and a role for the UK Information Commissioner’s Office (ICO) in the European Data Protection Board.
Second, is that the UK ends up in a “hard Brexit” situation because no partnership agreement is reached. “In that case, the question would be if the EU would be receptive to an application for adequacy from someone who has just slammed the door in their faces,” said Ustaran.
However, either way, he said the UK’s controversial Investigatory Powers Act and the sections on investigatory powers in the Data Protection Bill could present a challenge to any adequacy ruling.
“There is a whole new section on surveillance and investigatory powers of law enforcement and national security officers in documentation from the Article 29 Working Party that advises the European Commission on adequacy matters,” he said.
And the “rather strong” powers set out in UK legislation in that respect, he said, introduce some tension with the limits on interference with the rights of individuals that the EU would demand. “And that could be a sticking point,” said Ustaran.
Taking an optimistic view, Ustaran said he believes the most likely scenario will be that the UK and EU will reach a “cooperation agreement” on ensuring that data transfers between the UK and the EU, and the rest of the world, are lawful and adequate in terms of data protection and privacy requirements.
“And even more ambitiously, the UK will want to continue to play a role in developing a global privacy framework,” he said, in the same way it has influenced the development of data protection in Europe, Asia, North America, Africa and the Caribbean.
“Perhaps, as part of new partnership with the EU, the UK could continue that role in developing a global privacy framework that is so badly needed.”
In conclusion, Ustaran said that given that companies and organisations know what the legal framework is going to look like for at least the next four years, it is “quite possible” for UK companies to fix on an approach to take on data protection for their operations worldwide.