Fate of Data Protection, Privacy Shield in UK Uncertain After Brexit
The status of existing data protection rules and Privacy Shield in Britain is unclear following the nation's Jan. 31 departure from the EU, privacy attorneys told us. The two sides are in a transition period until Dec. 31 to allow them to negotiate a new relationship. During that time, the EU general data protection regulation will apply in the U.K., and companies won't need to take immediate action, a U.K. Information Commissioner's Office (ICO) FAQ says. It's anyone's guess how the talks will pan out and what they will mean for data protection rules between the U.K. and EU or the U.K. and the U.S., lawyers said.
"If the negotiations do not deliver and there is no agreement, the UK will become a third country," Linklaters (Brussels) data protection attorney Tanguy Van Overstraeten emailed us last month. Whether U.K. data protection law will be recognized as adequate to allow transfers depends on the outcome of a review by the European Commission and other bodies. That process is supposed to take place during the transitional period, "but there is no guarantee that this will be completed on time" or that the decision will be positive, he said. Issues could arise about some U.K. laws on state surveillance or immigration exemptions, as well as because data protection will no longer be a right safeguarded by the EU Charter of Fundamental Rights.
Unless the U.K. data protection level takes a "sudden and unexpected plunge," which is unlikely, there should be nothing standing in the way of an EU adequacy decision, emailed Morrison & Foerster (Brussels) privacy attorney Alja Poler De Zwart last week. The only question is when the EU will find the U.K. adequate, she said: It's hoped that will happen by year's end, but "I would not bet my money on anything right now."
Privacy Shield's fate depends on the U.K.'s future relationship with the U.S., Van Overstraeten said. The mechanism may no longer be required, but that could affect the adequacy of U.K. law because "the EU may worry about a less stringent UK-US regime that would enable less robust EU-US data transfers to occur through the UK."
Little might change for PS, though U.S. organizations relying on it to receive personal data from the U.K. probably should update their certifications, said Poler De Zwart. Commerce Department FAQs note participants seeking to receive personal data from the U.K. will have to update their public commitments to refer to the U.K. specifically, she said.
One key change will be to the ICO's role, said a Jan. 31 Covington & Burling client alert. The law firm noted the U.K. will lose its status as a full member of the European Data Protection Board and, once the transition ends, its "role as a lead authority will come to an end."