Maksim Kabakou - Fotolia
Privacy and information security professionals are accustomed to facing down a Herculean cast of perils – whether it’s a one-eyed cyber attack, the siren call from the regulator’s office or the risk of a mutinous employee leaking customer information.
But the June 2016 Brexit vote has introduced a wholly different form of uncertainty – political risk.
In a year that saw the passage of the European General Data Protection Regulation (GDPR), the most comprehensive privacy regulation in history, and the demise of the EU-US Safe Harbor – along with the rise of its replacement, Privacy Shield – Brexit might be the biggest privacy development yet.
Nothing happens until the UK formally notifies the European Council of its decision to leave the European Union (EU), which is unlikely to occur for a few months.
If and when the UK decides to formally notify, it then has two years to negotiate the terms of divorce, during which it will remain a full member of the EU. At least for the next few years, uncertainty is the new norm.
So what does this mean for information governance professionals?
Pre-Brexit: Prepare for the GDPR
In the immediate future, the existing legal frameworks will continue to apply in the UK. European data protection law has been transposed in the UK through the Data Protection Act, which will remain in effect.
There will be an interesting discussion over whether the UK will participate in expected updates to the E-Privacy Directive in 2017. The E-Privacy Directive was also implemented in the UK through local regulations.
Come May 2018, the GDPR will apply directly in every EU member state. With the UK unlikely to have negotiated its exit by then, it appears that – at least for an interim period – the GDPR will be the law of the land in the UK, so it is best to start preparing now.
Preparation might be awkward, as the UK, just on the verge of separating from Brussels, will have to deploy the 200-page framework drafted at the heart of European bureaucracy.
Post-Brexit: Norway, Switzerland or made in the UK?
If and when a Brexit occurs, data protection law will depend on the outcome of the negotiations.
Norway and Switzerland offer two potential models for the UK, with important implications for data protection. Of course, the UK could also chart its own course or somehow decide not to Brexit at all.
Under the Norwegian model, the UK would join the European Economic Area (EEA). This would mean accepting the free movement of people and goods, as well as EU regulations, while at the same time retaining seamless access to the EU single market.
In this scenario, the UK would remain subject to EU data protection regulations, including the GDPR. Commentators are sceptical of this model, given that the UK would have to retain the very characteristics that motivated Brexit supporters to urge departure from the EU.
If the UK opts for the Swiss model, it would have to secure trade deals to gain access to the EU market for each specific business sector. Switzerland’s data protection laws closely mirror those of the EU, and have been deemed “adequate” by the European Commission.
It remains to be seen to what extent Switzerland – and the UK, should it follow suit – will have to keep pace with the GDPR to retain adequacy.
The UK could also decide to go it alone. While the GDPR would clearly not apply in this option, it is important to remember that the GDPR’s geographic reach is broad.
The new regulation applies to any organisation, anywhere in the world, that targets EU consumers or monitors their behavior. Hence, regardless of the chosen course, many UK organisations will have to implement the GDPR to continue doing business in Europe.
Charting a course for the Information Commissioner’s Office
Having recently stepped into the role of information commissioner for the UK, Elizabeth Denham, formerly privacy commissioner of British Columbia and the first non-Brit to be appointed to the office, faces a challenging political climate in Europe.
Although the Information Commissioner’s Office (ICO) will remain part of the Article 29 Working Party, a body of EU data protection authorities, until a formal Brexit, the Working Party may prepare ahead for post-British days.
The ICO’s participation in the European Data Protection Board, the successor to the Working Party under the GDPR, is less certain.
The EEA has yet to implement the GDPR, so it is unclear whether, under the Norwegian model, the UK would have a voice on the newly minted board.
Under the Swiss model, the UK would not join the board, potentially leaving UK businesses in the uncomfortable position of having to appoint a lead supervisory authority outside the UK.
Challenges to UK adequacy
If the UK opts for a Brexit and does not join the EEA, data transfers from Europe could become a major headache. Should the UK decide to pursue adequacy, it would need to put in place something very close to the GDPR – a bitter pill given the UK’s hostility to EU regulations.
Law enforcement access to data could become a significant obstacle. With the EU already critical of GCHQ surveillance powers, and a bill before Parliament set to increase those authorities, the irony is that UK surveillance laws could come under greater scrutiny if it leaves rather than if it remains.
Like the US, the UK may be forced to negotiate a Privacy Shield arrangement to facilitate data transfers, not to mention a data transfer arrangement with Scotland, if it chooses to exit the Brexit, staying in the EU by seeking independence from the UK.
As the countdown to Brexit begins, data protection will be only one piece in an ongoing chess match between the UK and the EU. For privacy and data security professionals, it is time to get comfortable with political risk.
Omer Tene is vice-president of research and education at the International Association of Privacy Professionals.