It’s virtually impossible to avoid mention of the upcoming United Kingdom EU referendum and the positive or negative effects that leaving or remaining in the Union would have on business, the economy and our general way of life in the UK. Thought should also be given to the impact a vote for Brexit would have on data transfers, not only for business in the UK, but across the globe.
UK organisations currently adhere to an interpretation of the 1995 EU Data Protection Directive (Directive 95/46/EC), better known as the UK Data Protection Act. However, with the General Data Protection Regulation (GDPR) due to become law in May 2018, Britain is working toward compliance with a regulation soon to be automatically enforced across all 28 EU member states.
It’s worth considering then, how a UK government disconnected from the EU would re-evaluate the country’s data protection law without the GDPR or any other European directive to guide it. Indeed, it might be easier to simply adopt EU law for the sake of convenience. Essentially, a vote to exit the EU would leave the country with big issues around data transfer.
Exploring the alternatives
Like Norway, Lichtenstein and Iceland, the UK could take the European Economic Area (EEA) route, which is unlikely to cause any significant disruption, providing as it does for free movement of services and products with the EU’s member states. The alternative is to be completely separate from the EEA, which would require data transfers from the UK to the EU and vice versa - an ongoing concern for global conglomerates - to be reviewed by the EU to ensure the provision of an “adequate level of protection”.
It’s likely that more privacy-aware countries, such as Germany, France and Spain, will challenge the UK’s relatively relaxed approach to data protection legislation. Should these challenges succeed, and the UK seen to be providing a less than “adequate level of protection”, then any data transfers to the UK will have to be made via EU model clauses, which require a significant level of administration.
One alternative to these EU model clauses are Binding Corporate Rules (BCRs) which allow global organisations to make intra-company transfers. Should the UK vote out, the legal community will need to know whether transitional rules will be put in place so the UK data protection authority can continue reviewing BCR applications.
Even if these rules were put in place, there are questions over how long this would take. With the UK data protection authority in the midst of managing these applications for many global conglomerates, any hold-up in the process could prevent these companies from finding an alternate legal means of transferring personally identifiable information intra-group around the world.
Ultimately, if we vote for Brexit, any practical guidance around data transfers will be unlikely to arrive immediately. Having left the EU, it will be some time before global and UK companies alike will know what to do on the issue.
During that time, with companies largely unaware that they might be operating against the law, the risk of technical data breaches will undoubtedly increase. So, however the referendum plays out and however it affects the UK’s economy and its general way of life, it’s worth considering that leaving the EU would leave businesses in the UK and beyond with a number of critical legal issues around their data transfer processes.