[Newsletter n. 5]

Very little has changed since we all learned of the outcome of the UK referendum on Brexit in June.

The UK Government is still investigating and discussing internal constitutional principles and requirements to trigger article 50 of the Lisbon Convention. Specifically, the question is whether the notification of withdrawal from the EU is within the prime minister executive powers or it requires the sovereign authority of the Parliament and as such an act of Parliament.

The new Prime Minister, Teresa May, set a hard deadline for a final decision on this and the EU Commission is expecting formal notification to be submitted between the end of this year and January 2017. A 2 year negotiation period for the UK and EU to reach an agreement is due to start then and come to a conclusion at the beginning of 2019.

Between now and then, a number of EU Directives and regulations are due to come into force with direct effect in all Member States. In the area of Data Privacy and Data Security only the following is expected to come into force:

  • GDPR (General Data Protection Regulation), adopted on 15th December 2015 and due to become effective on the 25th of May 2018
  • NIS Directive (Network Information Security Directive) adopted on the 6th of July 2016 and due to be implemented at national level in May 2018
  • E-Privacy Directive, under review, with public consultation launched in April this year.

The aim of this set of legislation is to ensure that in a globalised economy where goods and services are provided and sourced cross-border around the world, the standard requirements for the protection of personal data of EU data subjects is met consistently across territories independently of where data are processed. Due to the extraterritorial effects of the GDPR, such regulation applies not only to companies that process personal data in EU but also to the processing of personal data of EU subjects, independently of the location of the company. Pursuant to the new legislation, businesses should be able to rely on clearer and simpler rules and procedures to run their business smoothly in compliance with the new requirements.

If that is what was in the EU legislators’ mind when they drew up this new set of rules, the question is: is Brexit going to undermine the implementation of the new legislation in the UK and how would UK business with a pan-European coverage be impacted as a consequence?

The answer depends essentially on which option the UK will adopt among the following three potential scenarios:

  1. Joining the EFTA, European Free Trade Agreement (Switzerland model),
  2. Remaining part of the EEA (European Economic Area) (Norway model) or
  3. Sitting outside Europe completely to maintain full discretion in its political choices (Canadian model).

(1) Should the UK remain within the EEA, it will continue to be subject to EU legislation as all other Member States and therefore will have an obligation to implement such legislation.

(2) If the UK subscribes to EFTA like Switzerland, it will very likely need to implement the new legislation anyway. In order to facilitate the negotiation of bilateral agreements and maintain effective trade with other European Member States, it will need to adopt internal legislation compliant with the main EU requirements and obtain an “adequacy decision” from the EU Commission to allow the transfer and processing of data in the UK from other Member States.

(3) The third scenario (Canadian model) is the most interesting one for the implications on the sought after harmonised regulatory framework.

By following the Canadian model, the UK would have full discretion to adopt its own data privacy legislation, which would very likely be less stringent and more favourable to businesses. Should the UK approach to Data Protection depart from the new GDPR principles, however, businesses trading from the UK across Europe would find that dual regulation apply to the processing of personal data with complex implications from an organisational and internal policy perspective:

  • UK companies with pan-European businesses would not be able to benefit from the “one stop shop” procedure and rely on the cooperation procedure led by the DPA of the country where their main establishment is (Lead DPA). The ICO (UK Information Commission) being a non EU Data Protection authority would not be able to be a Lead authority. The main establishment of a company (being the location of the offices with delegated DP responsibilities) could well be different from the head office location and, therefore, UK companies might find themselves to deal with the ICO, on one side, and the Lead EU DPA, on the other, to identify internal procedures and compliance policies to meet applicable DP requirements.
  • Transfers within the EU. Transfers to the UK from Europe and vice versa would be considered transfers outside the EU and would require the UK to apply for an adequacy decision from the EU Commission. The current “model clauses” approved by the EU Commission in line with the 1995 Directive to harmonise contractual undertakings for the processing of personal data outside the EU, would have to be reviewed and updated in line with the GDPR. Binding Corporate Rules (to allow transfer of data among group companies outside the EU) would have to be submitted for approval to the European Data Protection Board. The newly agreed Privacy Shield for transfers of data to the US would be not be relevant once the UK is not part of the EU.
  • Transfers to the US. It took 6 months to negotiate and approve the Privacy Shield between Europe and the US, notwithstanding the relevant trade between the two continents and the pressure from businesses to reach an agreement on data transfers. The timing of any agreement between the US and the UK on transfers of personal data will depend on the degree of economic interest between the parties.

Due to globalisation, international businesses rely on US service providers especially for storage systems supply. The top 5 cloud storage providers are based in the US. Cloud storage is worth 10s of millions of dollars. This means that there is a great demand from old and new economies, to reach an agreement with the US on the transfer and processing of personal data. The UK will have join the table of negotiations and persuade the US with a compelling business interest to the get to expedite the agreement in the short term.

Whichever aspect comes to consideration, being operational and organisational for companies or being it political for the nation to maintain an open market and international exposure to trade, the implications of Brexit on Data Protection regulation seem to be and remain minimal. Even in the extreme scenario of the Canadian option, the UK will very likely adopt a regulatory framework that aligns very closely to the new GDPR.

The question is: if this is the case for Data Protection regulation, would the same apply to other areas of EU regulation and would the UK really have an option but to adapt in any case to EU regulatory approach?

 

Marina Mirabella
Senior Partner