Very little has changed since we all learned of the outcome of the UK referendum on Brexit in June. The UK Government is still investigating and discussing internal constitutional principles and requirements to trigger article 50 of the Lisbon Convention. Specifically, the question is whether the notification of withdrawal from the EU is within the prime minister executive powers or it requires the sovereign authority of the Parliament and as such an act of Parliament. The new Prime Minister, Teresa May, set a hard deadline for a final decision on this and the EU Commission is expecting formal notification to be submitted between the end of this year and January 2017. A 2 year negotiation period for the UK and EU to reach an agreement is due to start then and come to a conclusion at the beginning of 2019. Between now and then, a number of EU Directives and regulations are due to come into force with direct effect in all Member States. In the area of Data Privacy and Data Security only the following is expected to come into force: The aim of this set of legislation is to ensure that in a globalised economy where goods and services are provided and sourced cross-border around the world, the standard requirements for the protection of personal data of EU data subjects is met consistently across territories independently of where data are processed. Due to the extraterritorial effects of the GDPR, such regulation applies not only to companies that process personal data in EU but also to the processing of personal data of EU subjects, independently of the location of the company. Pursuant to the new legislation, businesses should be able to rely on clearer and simpler rules and procedures to run their business smoothly in compliance with the new requirements. If that is what was in the EU legislators’ mind when they drew up this new set of rules, the question is: is Brexit going to undermine the implementation of the new legislation in the UK and how would UK business with a pan-European coverage be impacted as a consequence? The answer depends essentially on which option the UK will adopt among the following three potential scenarios: (1) Should the UK remain within the EEA, it will continue to be subject to EU legislation as all other Member States and therefore will have an obligation to implement such legislation. (2) If the UK subscribes to EFTA like Switzerland, it will very likely need to implement the new legislation anyway. In order to facilitate the negotiation of bilateral agreements and maintain effective trade with other European Member States, it will need to adopt internal legislation compliant with the main EU requirements and obtain an “adequacy decision” from the EU Commission to allow the transfer and processing of data in the UK from other Member States. (3) The third scenario (Canadian model) is the most interesting one for the implications on the sought after harmonised regulatory framework. By following the Canadian model, the UK would have full discretion to adopt its own data privacy legislation, which would very likely be less stringent and more favourable to businesses. Should the UK approach to Data Protection depart from the new GDPR principles, however, businesses trading from the UK across Europe would find that dual regulation apply to the processing of personal data with complex implications from an organisational and internal policy perspective: Due to globalisation, international businesses rely on US service providers especially for storage systems supply. The top 5 cloud storage providers are based in the US. Cloud storage is worth 10s of millions of dollars. This means that there is a great demand from old and new economies, to reach an agreement with the US on the transfer and processing of personal data. The UK will have join the table of negotiations and persuade the US with a compelling business interest to the get to expedite the agreement in the short term. Whichever aspect comes to consideration, being operational and organisational for companies or being it political for the nation to maintain an open market and international exposure to trade, the implications of Brexit on Data Protection regulation seem to be and remain minimal. Even in the extreme scenario of the Canadian option, the UK will very likely adopt a regulatory framework that aligns very closely to the new GDPR. The question is: if this is the case for Data Protection regulation, would the same apply to other areas of EU regulation and would the UK really have an option but to adapt in any case to EU regulatory approach? Marina Mirabella
Senior Partner
The implications of Brexit on the harmonisation of Data Privacy legislation
[Newsletter n. 5]