Brexit and the future of data transfers to the UK
Diritto e libertà
On 29 March 2017 Theresa May, the Prime Minister of the United Kingdom, officially invoked Article 50 of the Treaty on European Union, effectively triggering Brexit. But what does that mean for us as data protection and privacy experts and how will companies be affected by Brexit?
The Lisbon Treaty establishes that countries exiting the EU have two years after the notification to negotiate and conclude a withdrawal agreement, leaving investors and businesses with a great deal of uncertainty. Access to the single market is critical for the UK economy and Britain’s EU status allowed it to attract an incredible number of multinational investors, but in light of the unpredictable situation in which the UK will find itself in two years many businesses are looking for continental alternatives.
Until the UK completely exits the EU nothing will change in terms of practice. Regulation (EU) 2016/679, the GDPR, for example, which will enter into force on 25 May 2018, will be applicable to all business regardless of their place of establishment if they offer goods and services to EU citizens.
Experts have also suggested that upon Brexit, the Regulation will be transposed into domestic law, though this still remains to be seen. On this point, the recent Information Commissioner’s Office (“ICO”) call for consultation on its first GDPR-related draft Guidance on consent under the GDPR may be seen as a reassuring sign from the ICO, going in a direction of future compliance with the GDPR regardless of Brexit.
However, once withdrawal from the EU is completed, the safe transfer of data between the UK and EU Member States will need to be ensured. The current scenario provides a few options to safeguard such transfers:
1. The EU Commission could recognize that the UK provides “an adequate level of data protection” pursuant to Article 45 GDPR;
2. The UK could negotiate a new data flow agreement similar to the EU-US Privacy Shield;
3. The derogations outlined in Articles 46 et seq. GDPR including data subjects’ consent, Model Contractual Clauses, Binding Corporate Rules, etc. could apply.
Last month the UK Government published a White Paper outlining its exit and new partnership with the EU. In the Paper, the government states that as it leaves the EU, it “will seek to maintain the stability of data transfer between EU Member States and the UK” and specifically points to EU regulations for the provision of high standards of goods and services such as those concerning competition and consumer protection and intellectual property, and data protection.
Stressing the importance of the data economy, it recognizes the vitality of the free flow of data for the tech, financial services and energy sectors and points out that “The European Commission is able to recognize data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely”.
Formal withdrawal negotiations are expected to commence in May or June of this year and are likely to be influenced by both the French presidential and German parliamentary elections. EU negotiator Michel Barnier has said that negotiations should concluded by October 2018 in order to allow adequate time to ratify the deal and adhere to May’s promise of exiting by summer 2019.