ar130405 - Fotolia
If the UK votes to leave the European Union, it faces a complex negotiation of its own “Privacy Shield” agreement to meet new EU data protection laws, say experts.
The European Parliament is set to rubber-stamp the new General Data Protection Regulation (GDPR) on 14 April 2016, but member states have two years to implement it into their laws – by which time the UK may have left the union if it votes for a Brexit in the 23 June 2016 referendum.
If the country votes to sever ties with the EU, a long and complicated process of extrication will begin.
Laws based on EU directives and regulations will have to be untangled, but even if there is no legal requirement to adhere to the principles of the GDPR, businesses that need to process EU citizens’ data – and that includes everything from banks to cloud service providers to UK small businesses – will still be required to stick to them.
How that will work in practice is a matter of debate. To transfer data to third countries – which is what a non-EU Britain would become – those countries must meet certain data protection adequacy standards. Not many do. In particular, the US was only able to get around the problem thanks to the now defunct, voluntary Safe Harbour Framework.
Post-Brexit, the UK would find itself in the same situation of having to demonstrate “essential equivalence” in terms of protecting privacy, according to experts at the Global Privacy Summit in Washington earlier in April 2016.
UK Privacy Shield deal
The hugely controversial EU-US Privacy Shield plan, which has been proposed to replace the Safe Harbour deal, may set the standard for EU-UK data flows. The possibility is that the European Commission would find itself negotiating another Privacy Shield deal, this time with the UK.
Paul Nemitz, European Commission director for fundamental rights and Union citizenship and one of the lead negotiators on Privacy Shield, said a UK-EU data protection deal is unlikely to be on the list of priorities in the event of a UK vote to leave. But, one way or another, EU citizens’ privacy rights would have to be protected, he added.
Leaving the EU would be expensive and complicated for international British companies, according to supporters of the “remain” campaign.
Legal certainty over data flows is just one part of the puzzle, but Thomas Spiller, president of British Chamber of Commerce in Belgium, said a number of law firms are already drawing up a “Plan B” for companies.
Read more about EU data protection
- The EU’s data protection rules will affect every entity that holds or uses European personal data – both inside and outside of Europe.
- More than two thirds of global firms expect EU data protection laws to dramatically increase costs of doing business in Europe.
- With the European Commission's data protection rules set to pass, take a look at what the changes mean for the cloud and datacentre community
While the UK would certainly retain its own data protection laws, “the UK is seen as a soft touch in terms of data protection,” said Chris Pounder, director of law firm Amberhawk Associates, adding that it is entirely possible the European Commission might not believe the UK offers sufficient protections.
“The UK Data Protection Act 1998 wouldn’t pass the adequacy requirements because of serious shortcomings in the law in transposing the EU Data Protection Directive [now superseded by the GDPR,” said Pounder.
“The European Commission has been keeping everyone in the dark about what those deficiencies are for years, but apparently they are so severe that the European Commission is considering infringement proceedings.
“If the UK votes for Brexit, I don’t think there will be a very civilised divorce. [UK legislation] is very generous to the surveillance services and post-Brexit that is likely to remain the case, perhaps even more so.”
UK surveillance laws a problem
Dutch member of European Parliament (MEP) Sophie In’t Veld, who is active on EU data protection laws, also pointed out the problems with the UK’s surveillance laws.
“We have to bear in mind that mass surveillance was a key issue in the European Court of Justice ruling [striking down Safe Harbour],” she said.
“The activities of the British intelligence and law enforcement services do not appear at first sight to be substantially more in line with the standards set by the court. So that would probably be very problematic for the UK. Not just for trade, but also for law enforcement and intelligence.
“I am not so much of an expert that I would be able to predict exactly what would happen. But in rough terms, unless in the course of the exit negotiations the UK would choose to opt-in to this particular section of law, it would indeed be considered a third country.
“That would mean an adequacy finding would be required. A Privacy Shield-like arrangement might be negotiated,” she added.
“However, at this stage it is far from clear if the US Privacy Shield will pass muster, and if it does, if it will stand up in court – because someone will go to court and challenge it. I would expect any [UK] Privacy Shield arrangement to be stricter than the one currently up for approval by the European Commission.”
It seems likely that Brexit would result in headaches and hand-wringing over EU-UK personal data flows.
The possibility that a “Privacy Shield II” would have to be negotiated, even while the original Privacy Shield deal is not yet confirmed, is feasible – although of course the European Commission would most likely give it an alternative name to dissuade anyone from looking too closely.