Brexit + Privacy: What You Need to Know

Cooley Alert
June 24, 2016

The people of the UK have voted to leave the European Union and at the moment it is fair to say that the only certainty is uncertainty for the foreseeable future. However, when it comes to data protection – there really is no need to panic.

Q1: What happens now?

Short Answer: Not much.

Long Answer: Rome wasn't built in a day. There is a period of up to two years to negotiate exit after the UK "hands in its notice" (which is a political choice rather than an obligation) this is orchestrated by invoking Article 50 of the Lisbon Treaty. During this period, all existing legislation remains in force. The UK Information Commissioner's Office ("ICO") has emphasised the importance of clear laws given the growing digital economy and stated that it will be encouraging government to continue with the reform of data protection law. For now, the Data Protection Act remains the "law of the land".

Q2: Does this mean organisations can ignore the implications of the GDPR?

Short Answer: Absolutely not.

Long Answer: The General Data Protection Regulation ("GDPR") which will overhaul data protection legislation across the EU, is due to come into force in May 2018 (before the UK will be able to leave the EU). Further, the way the GDPR is drafted means companies doing business in Europe (whether they are from the UK, US or anywhere else) will need to comply with the GDPR and the risk for non-enforcement could be fines of up to 4% of annual turnover or €20 million – this is not to be taken lightly. Let's not forget the Network and Information Security Directive and ePrivacy Directive are also in the pipeline and pose their own threats (depending on your business).

Q3: What about the Privacy Shield?

Short Answer: It depends.

Long Answer: It depends…

In an ironic case of timing, the Privacy Shield text was concluded in the early hours of the Brexit vote and latest commentary suggests the Privacy Shield is on course to be finalised over the summer, so for now the UK will follow suit with the rest of the EU. If, following Brexit, the UK leaves the EU but remains part of the EEA, the UK will likely retain the Privacy Shield scheme as regards the transfer of data to the United States. If the UK leaves the EU without any trade agreement, anything could happen but the likelihood is that we would have to negotiate our own EU-UK version of the Privacy Shield to meet the EU's high standards on international transfer of personal data.

Q4: What should you do in the short-term?

Short Answer: Keep calm and carry on.

Long Answer:

  • Keep in motion any processes and changes to comply with the GDPR
  • Evaluate your UK operations - what data flows between the UK and the EU and the UK and the US?
  • Watch this space

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.