Brexit has raised the issue of how businesses should prepare for the General Data Protection Regulation, which EU countries must
implement within two years. Here we present arguments for and against UK mirroring legislation.
Why the GDPR is here to stay – probably
Peter Galdies, Development Director at DQM GRC, gives six reasons why UK businesses must still heed the General Data Protection Regulation (GDPR).
Whilst the decision by the people of the United Kingdom to leave the European Union has implications for the legislative framework for privacy in the UK, these implications are unlikely to significantly affect the need for organisations to adopt the General Data Protection Regulation (GDPR). Here are six reasons why:
Reason 1: The 2+ year negotiation phase…
Formal negotiations for exit won’t start until after Article 50 is invoked (giving our official notice to leave the EU), and this now looks likely to be in September 2016 at the earliest. During the mandatory 2-year MINIMUM period, all existing legislation (including GDPR) will continue as before. This period of negotiation could be much longer; many estimate as long as 3-6 years.
The GDPR is actually already law and although organisations have a 2-year window in which to meet compliance, it would be unwise for businesses to assume that after this period there will no longer be a need to comply…
Reason 2: Trading with the EU?
The GDPR applies to, and can be enforced against, organisations that process data on EU citizens regardless of their nationality or location. It doesn’t matter if you are in France, Germany, the USA or India, the GDPR law (and its subsequent penalties) can be applied. Therefore, UK-based organisations attempting to do business with EU citizensin Europe must comply with the Regulation. Failure to do so presents the risk of substantial fines – up to 4% of global turnover.
Reason 3: We just trade in the UK so we’re OK, right? Maybe not…
With over 3 million EU citizens resident in the UK – and at least 2 million of these in employment – the chances are that your business might have data relating to EU citizens.
The GDPR is primarily concerned with processing personal information about individuals who reside in the EU (although the EU Parliament also seems to consider residence irrelevant), offering goods and services to these individuals or monitoring their behaviour. However, who determines whether someone is a resident or not? Does a two-month holiday in London by an EU citizen mean that they are a non-resident?
Does the individual need to be granted residency status within the UK to be excluded from the terms of the GDPR?
Reason 4: The Information Commission thinks so…
According to a statement on the 26th June from the ICO: “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms, we would have to prove ‘adequacy’.
In other words, UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
This statement implies that our new Information Commissioner (Elizabeth Denham, who has a proven history of backing and enforcing consumer rights while encouraging transparency within business) is likely to encourage legislation that mirrors the requirements of the GDPR. It’s also worth noting that UK privacy professionals were key in shaping this legislation in the first place – and that the view of what constitutes good privacy doesn’t change simply because we chose to exit the European Union.
Reason 5: Trade negotiations… an easy win.
Over the next few years, the pressure to negotiate a strong trade deal with the EU will drive the adoption of supporting ‘mirror’ legislation designed to minimise barriers to continued trade. Some measures (such as open borders) will be highly contentious. However, it is unlikely that improved privacy protection would be seen as such. In fact, it’s an issue that many could openly support and encourage as an ‘easy win’, which would provide increased compatibility and security for UK-EU trade and improved protection for both groups of citizens.
Reason 6: It needs doing anyway.
It’s the right thing to do. Most of the UK’s existing data protection legislation was written before the widespread adoption of the internet and the globalisation of trade – and the collection of vast amounts of new data about data subjects that followed. Internetbased social media services, such as Facebook and Twitter, didn’t exist and currently enforced laws on data protection were not created to accommodate them.
It’s now easier than ever before to build and infer much about individuals from the data they generate, often unknowingly, in their day-to-day activities. We are all entitled to a free and private life, so we need laws that help protect us – and the legal framework prior to GDPR doesn’t cut it.
The GDPR, while far from perfect, does offer an improved model for data protection, and it is (perhaps arguably) right and pragmatic for the UK to adopt similar legislation.
So, while it’s true that we are going to be living in uncertain times for a few years to come, it is likely that privacy will still be high on the agenda. When the next high profile data breach or misuse happens (think TalkTalk), the public reaction is likely be the same regardless of Brexit. Ultimately, the pressure for organisations to retain and build trust will remain – as will the pressure on regulators to govern.
Although the adoption of the GDPR as mirroring UK legislation is highly likely, we should also be aware that Brexit will leave the UK ‘on the outside’ for the development of future privacy legislation that, in practice, may well apply to UKbased organisations. The review of the EU E-Privacy Directive has now started and this is likely to affect how UK businesses can use data and e-mail, social media and other communications to reach EU citizens. It remains to be seen whether we have influence over this in the next couple of years. Even if we do, our voice will be less powerful than before.
Brexit Allows UK to Unshackle Itself from EU’s Cumbersome Data Protection Rules
Daniel Castro, director of the Center for Data Innovation, argues that implementing the GDPR is inimical to innovation and offers no guarantees that the EU would consider it sufficient to meet its adequacy standard.
The decision by the United Kingdom to leave the European Union will soon launch one of the largest policy undertakings ever, as British leaders and diplomats race against a two-year deadline to negotiate new arrangements with the European Union and new treaties with other countries previously governed by agreements made through the EU.
While the first order of business will be ensuring British citizens can travel abroad and British companies can access foreign markets, in today’s digital economy there should also be a significant focus on how the UK will ensure the free movement of data both internally and across borders. Fortunately, this is one of the bright spots for the British economy, as the UK will now have an opportunity to replace the stringent EU data protection regulations with a more forwardlooking set of rules that enable datadriven innovation and, in so doing, cement the country’s leadership in the digital economy.
A lonely voice
The UK has long been a lonely voice of reason in the EU, arguing for light-touch regulation of the digital economy even as countries such as France and Germany have overruled it. The result has been that while the digital economy is stagnant in the EU, it is thriving in the UK. Indeed, as a share of GDP, the Internet economy in 2016 is expected to reach 12% in the UK, far above the 3% and 4% in France and Germany.
Yet some in the UK want to continue to bind the British economy to EU-style data regulations out of fear that failing to do so would create a regulatory headache for British companies doing business in the EU.
While it is true that British companies need to be able to process personal data of employees and customers in the EU, there are multiple paths to achieve that goal, and mirroring EU rules is not the best option.
First, the EU’s General Data Protection Regulation (GDPR), set to come into effect in 2018, will likely further limit digital innovation in EU member nations.
The GDPR establishes strict rules on how companies can collect and use personal information. For example, the rules mandate that companies specify how they will use data before they collect it, a requirement that by definition limits the type of experimentation and innovation that has become the hallmark of the data economy.
In addition, the regulations allow for penalties of up to 4% of a company’s global revenue, which means that the private sector will be investi ng heavily in compliance to avoid violations. These expenses will divert funds from more useful product development, raise costs for consumers and force companies to become risk averse.
The UK would be wise to protect its companies from the restrictions and penalties resulting from these types of heavy-handed, innovationlimiting regulations.
Second, even if the UK were to fully implement the GDPR, there is no guarantee that the EU would determine its data protection laws meet its adequacy standard – a necessary precondition for companies in the UK to continue processing European data as they do today.
After all, the biggest hurdle in negotiating the successor to the U.S.-EU Safe Harbor agreement was not that the United States had a different style of data regulation, but rather that U.S. government surveillance programs purportedly put EU citizen privacy at risk. Yet, some European countries have passed more intrusive surveillance laws than those in the United States, such as those passed by France following the Charlie Hebdo terrorists attacks in Paris.
The EU has not held its member states to the same standard as it does non-EU countries. The UK, which is set to pass its own controversial surveillance legislation, should not expect to receive a pass even if it adopts measures equivalent to the GDPR.
Rather than seeking an adequacy determination, the UK should take the approach pursued by most non-European countries and use other legal mechanisms, such as model contracts and binding corporate rules, to enable lawful transfers of personal data between the UK and EU member states. Or it could negotiate something akin to the Privacy Shield agreement, which was established to allow for the exchange of data between the United States and the EU.
Any of these approaches would allow UK policymakers to establish their own data protection rules that balance the right to privacy with other competing interests, such as national security, economic prosperity, innovation and public health, while still maintaining free trade with Europe.
Daniel Castro (@CastroTech) is director of the Center for Data Innovation, a think tank focused on data and public policy.