It has been a month since the UK voted to leave the EU and there is still plenty of uncertainty along the road ahead. However, when it comes to privacy law, there are some certainties. Ralph O’Brien, Principal Consultant EU at TRUSTe reviews the options.
In the short term the UK Data Protection Act 1998 is still the law of the land, a law that implements the older EU privacy directive EC/46/95 into UK national law. The UK ICO will continue to advise and enforce privacy upon global organisations, and individuals still have the privacy rights afforded by the 1998 Act. Whilst the UK Data Protection Act 1998 and Directive EC/46/95 contain themes and principles that are common to the new privacy paradigm of the General Data Protection Regulation, the GDPR introduces new rights and obligations that are not reflected in current UK law.
In the medium term, the GDPR has been approved by Europe and will be enforceable by May 2018. Even if the UK invokes Article 50 and starts the two year leave count down today, that date will take the UK past that deadline and the GDPR becomes directly enforceable into national law.
In the longer term the UK will need to work out an exit strategy of some kind, including what parts of the EU legacy will continue to apply post leaving the EU, and on what terms it will continue to trade with Europe.
Option 1 – European Free Trade Association Membership and bilateral agreements
The UK could remain membership of the European Free Trade Association (EFTA), but drop its membership of the European Economic Area and EU member state status. The UK would then negotiate a set of agreements bilaterally for specific market segments with the EU to retain access to the EU Single Market (such as Switzerland today). The UK would not be bound by EU legislation as a result, but may be obliged to have certain laws by these agreements. The UK pays no EU fees, but pays fees to the EFTA. In terms of privacy law the UK would continue to be bound by the Data Protection Act 1998, but may be required by the bilateral agreements to pass a revised Data Protection law to bring it into line with EU law (such as the GDPR requirements), or indeed agree to be directly bound by the GDPR itself in order to allow data transfers between the EU and the UK.
Option 2 – European Economic Area Membership (including EFTA)
The UK could leave the EU, but retain memberships of the EFTA and European Economic Area (EEA). This is how Norway, Iceland and Liechtenstein currently deal with the EU. As a member of the EEA, the UK would have to pay membership fees, and be compliant with EU laws, but have no voting rights within the EU. In terms of Privacy law, the GDPR would continue to have direct effect and applicability as if it were an EU member state, however the UK would have no voting rights on future amendments.
Option 3 – Entering into a Customs Union
The UK could follow the Turkish model and form a customs union which allows it to co-operate with the EU in certain trade categories. It would not be required to follow EU trade policy. It would not pay membership fees, or have any right to help shape EU laws. This would be a single agreement, but means for privacy laws the same as the bilateral agreement above.
Option 4 – Free Trade agreement
By taking this option, the UK drops out of the EU single market. It would not pay any membership fees, or have any right to help shape EU laws. It instead negotiates a single free trade agreement with the EU. This is a single agreement, but means for privacy laws the same as the bilateral agreement above.
Option 5 – World Trade Agreement
The UK is already part of the World Trade Agreement, and could rely on this as a basis of trade, with no further ties to the EU. That means it would not be required to adopt EU laws, not contribute to the EU budget or, have any voting rights.
in terms of Privacy law, the GDPR would have no effect, and the UK would continue with its own legislation such as the Data Protection Act 1998. As the Act would be “inadequate” against the GDPR, the UK would have to seek additional assurances should it continue to process data on EU citizens (or market services to them), as such it would have to adopt an agreement similar to the EU-U.S. Privacy Shield or have its laws amended to be regarded as “essentially equivalent” to the GDPR.
In options 1 to 5 above, the UK remains bound by the GDPR or has to pass laws or agreements that ensure similar levels of protection to it. If the UK itself does not have laws or arrangements that ensure its “adequacy” to EU privacy law, then in order to continue to trade they would still need to prove adequacy on a business by business basis. Businesses would then have to individually adopt an international transfer mechanism once the UK pulls away from the EU that ensures adequacy with EU laws, such as Model Contract Clauses, Binding Corporate Rules, Explicit Consent or enact a type of international certification standard such as the EU-U.S. Privacy Shield.
Which ever way the UK turns now, and whatever the future holds for the country, it will continue to trade in a global economy which will have to include processing data and marketing services to EU countries and citizens. Whichever option the UK chooses from this point on, it remains clear that global businesses will have to either comply with, or prove itself adequate or equivalent to the new requirements of the GDPR. If the UK chooses not to do this, the barrier to trade will be untenable to global business and further investment in the country.
The advice to businesses is to proceed on that basis, and continue their GDPR preparedness, as part of their global privacy framework.
Ralph T O’Brien, CIPP/E, CIPM, CiISMP, MBCS, is Senior Consultant for the EMEA region at TRUSTe. Ralph has spent nearly two decades working at the intersection of privacy, security and risk management. He is currently writing and blogging on global privacy and security issues, serving on the Management Committee of the UK’s Data Protection Forum, he is on the committee to revise the British Standard for Personal Information management, BS 10012.
Originally posted on TRUSTe Privacy blog. Reposted with permission.