Now that the shock has worn off and our 401(k)s have (somewhat) stabilized, we can begin to assess the implications that the UK’s historic vote to leave the EU may have on global privacy and data protection rules. While much uncertainty exists, companies should not panic as there will not be any immediate changes.
Under Article 50 of the Treaty of Lisbon, it will likely be at least two years before the UK can formally exit the EU. The EU’s new General Data Protection Regulation (GDPR), which significantly strengthens the bloc’s privacy standards, is scheduled to go into effect in May 2018. Accordingly, the GDPR should be in place before the UK formally exits the EU, which means that the UK will need to comply with the requirements under the GDPR, at least for a period of time. And, despite Brexit, any UK company that does business in the EU will need to comply with the GDPR after it takes effect.
After formal departure from the EU, an independent UK will need to decide what its data protection regime will look like. The UK’s current regulatory regime, the Data Protection Act, is from 1998 and is outdated. As the UK’s privacy regulator recently noted, in order for UK countries to continue to trade data and do business with EU member countries on equal terms post-Brexit, any UK data protection framework would need to have data protection standards equivalent to the EU’s. If the UK decides to join the European Economic Area, like the non- EU countries of Norway, Iceland, and Liechtenstein, then the UK would be required to comply with EU privacy regulations, including the GDPR.
While any new UK data protection regime would likely be similar to the GDPR, it probably will not be identical. The UK, and particularly London, prides itself on being more business-friendly than certain other EU member states. Therefore, the UK may attempt to strike a balance between being friendly enough to attract outside investment and strong enough to meet EU standards for adequate protection.
Additionally, the EU and the U.S. are in the final stages of negotiating the details of the Privacy Shield for cross-border transfers of data. It will be interesting to see how Brexit impacts final approval of the Privacy Shield. The UK may choose to enter into a similar pact with the U.S. if the UK is excluded from the final Privacy Shield.
While many have been hoping that international privacy and data protection regimes would become more harmonized in the future, Brexit may indicate a move away from truly unified rules. Going forward, companies must be more cognizant than ever about what personal information they have and where their data is flowing. And a multinational company with a data incident in the UK and in an EU member country company could now face enforcement from both EU and UK regulators.