Data protection regulations seem to be burgeoning in multiple jurisdictions. Moreover, these regulations have varying requirements and often seriously penalize noncompliance. The end of March brings yet another opportunity to revisit data flow: the joint effect of GDPR and Brexit.
GDPR and Brexit: Where We Are Now
Brexit, more formally known as the British exit from the European Union, is slated to take effect on March 29, 2019. Whether and how exactly this exit will occur likely will affect the regulations governing data flow.
Since May 25, 2018, of course, the General Data Protection Regulation (GDPR) has been effective, meaning that a large region of the world has had to comply with its requirements governing the processing and control of EU residents’ personally identifiable information (PII). The GDPR’s jurisdiction was expanded to the somewhat broader European Economic Area (member states of the EU plus Iceland, Liechtenstein and Norway) in July 2018.
Since the U.K. has belonged to the EU, GDPR requirements have applied to it. But the moment the U.K. officially separates from the EU, things will get complicated. On top of that, it’s not yet clear what the process of Brexit will look like. Some hope that a withdrawal agreement clarifying and easing the transition will be reached before the deadline. Others hope that Brexit might be postponed temporarily, while still others hope Brexit will somehow be canceled. As March 29 approaches, though, there’s a higher chance that no agreement will be reached before the deadline. The latter scenario is know as “no-deal Brexit.”
What GDPR and Brexit Mean for Data Transfer
This uncertain situation isn’t only a problem across the pond. Brexit may have global implications for organizations and their data flow to and from the U.K. and a post-Brexit EU.
Pursuant to GDPR, EU member countries (now extended to the broader European Economic Area) are supposed to have their own laws implementing GDPR. Non-member countries must show that they have sufficient data protection requirements before data can flow between them and the EU.
Fortunately, the U.K. does have the Data Protection Act 2018, a law that incorporates GDPR requirements but also supplements them. It’s possible that the EU will deem this law sufficient and allow data to continue flowing between the U.K. and the EU member countries after Brexit. But it remains to be seen whether and how quickly the EU would approve such a setup.
A GDPR and Brexit To-Do List
EU-U.K. Data Flow
If the EU doesn’t deem the U.K.’s requirements sufficient, organizations can take other steps to establish that personal data will be appropriately protected. For instance, they may need to protect data with binding corporate rules, or by including standard contractual provisions in arrangements between data exporters and importers. Other options include enforcing codes of contact, obtaining data protection certification or using something called the “Privacy Shield.”
To help U.S. organizations comply with GDPR, the U.S. Department of Commerce established a Privacy Shield Framework with the EU to foster continued transatlantic commerce. The EU determined that the Privacy Shield provided adequate protection for data transfers.
But Brexit will also affect use of the Privacy Shield Framework, given that the U.K. will no longer be a member of the EU. To assist U.S. organizations, the U.S. Department of Commerce has identified actions that U.S. organizations must take if they wish to use the Privacy Shield to receive PII from the U.K. under various Brexit scenarios (in other words, deal or no deal). Deadlines vary by scenario.
As global data protection laws multiply, data transfer is clearly becoming more complicated. To face down the maze of regulations, organizations may want to consider seeking extra help to minimize the likelihood of a fine for noncompliance.