Editors’ Note: This is the third in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Our previous entries discussed the CCPA and threats to the energy grid. Up next: changes in health care privacy.
On Thursday, December 12, voters in the United Kingdom went to the polls and delivered a decisive victory for the Conservative Party (aka the “Tories”), led by Boris Johnson. The results—the largest number of seats for the Tories since the mid-1980s, and the fewest number of seats for the rival Labour Party since 1935—mean that Johnson will return as Prime Minister with a substantial working majority. 2020 stands to be a consequential year both for the UK and for those who do business in or with it.
By far the biggest consequence of the election is that Brexit—the UK’s departure from the European Union—is all but a certainty. The current schedule has the UK officially leaving the EU by January 31, 2020, with a “transition period” from that date until December 31, 2020, during which time the parties will hammer out the details of their future relationship. The extent to which the UK either remains closely aligned with the EU on regulations and trade standards or instead sets out to chart a more independent course is thus very much uncertain and will bear watching.
Let’s take a look at what the implications might be in the data privacy and cybersecurity sphere.
The obvious place to begin is with GDPR, the EU’s General Data Protection Regulation, which was adopted by the EU shortly before the June 2016 referendum in which the UK voted to leave the EU, and implemented two years later. The good news for anyone who put in the effort and expense of complying with GDPR for purposes of doing business in the UK or with UK consumers is that that effort was not wasted—and for the time being, nothing further need be done. The GDPR will continue to apply to the UK during the transition period while the EU and the UK work on a deal regarding their future relationship. And though there are many potential sticking points in that deal, coordination regarding data security is not likely to be a particularly contentious issue. It is possible that, as part of the deal, the UK may sign onto the GDPR directly, as have non-EU countries within the European Economic Area (“EEA”) such as Norway, Iceland and Liechtenstein. Even under a “no deal” scenario, where the parties are unable to agree to a deal by the end of 2020 and no further extensions are sought, current UK law provides that, upon the UK’s exit from the EU, the GDPR will be incorporated into UK law as “retained EU law.”
Thus, anyone doing business in or with the UK who currently has to comply with the strictures of GDPR will still have to do so, and for the time being at least compliance with the GDPR will be enough to pass muster under post-Brexit UK law—whether as part of the transition period, an EU-UK deal, or UK law incorporating the GDPR.
Still, even if the standards remain the same, the manner in which they are incorporated over the next year will make a difference. If for example, the UK incorporates GDPR standards without remaining a part of the GDPR, entities doing business with both the UK and EU will be subject to one set of standards—but two governing jurisdictions. Privacy policies and other documents making reference to the EU and the GDPR will need to be modified to add references to the UK and the UK’s GDPR equivalent. And entities may face twice the exposure for any violations—as both the EU and the UK regulators may impose penalties.
Entities involved in the transfer of data from the EEA to the UK, or from the UK to the United States, will need to take steps to ensure that that transfer of data can continue. The GDPR prohibits the transfer of personal data from the EEA to “third countries” unless the third country has been deemed by the European Commission to provide an adequate level of protection for personal data or certain “appropriate safeguards” have been implemented.
During the transition period, the UK will continue to be treated as an EEA state for purposes of the GDPR. When the transition period ends (as is currently set to happen on December 31, 2020), the UK will be a “third country” with respect to the EEA. It is possible that, as part of a negotiated deal, data transfers from the EEA to the UK would continue without restriction. Alternatively, the UK may formally seek an adequacy finding, like other third countries have done.
Either of these outcomes would allow data transfers to continue. But stakeholders should beware: There is no guarantee the EU and the UK will agree to a deal by December 31, 2020, and indeed, just this week, Mr. Johnson indicated that he will seek to bar any potential extension of the transition period beyond that date, whether or not a deal is in place. And the UK government has previously admitted that an adequacy finding is not guaranteed.
In the absence of a deal allowing data transfer, or an adequacy finding, entities will need to rely on Standard Contractual Clauses (SCCs) to allow data to be transferred from the EEA to the UK.
Conversely, entities that transfer data from the UK to the US under the EU-US Privacy Shield will need to update their Privacy Shield commitments and certification as set forth by the US Government’s Privacy Shield website here.
New Transatlantic Rules?
Post-hoc narratives of what an election “means” are almost always overly simplistic, and a foreign observer writing about data privacy and security issues is hardly in a position to do any better. It isn’t going too far out on a limb, though, to suggest that one theme in both the Brexit referendum and the recent election was the UK’s vision of its place in the world and, as part of that, the future of its relationship not only with the EU but also the US. And both the American-born Mr. Johnson and his counterpart in the White House have indicated that a wide-ranging US-UK free trade deal may be in the cards.
Indeed, trade representatives from the two countries have been working together since June 2017 to plan a post-Brexit, US-UK trade agreement. In January of 2019, a public hearing on “Negotiating Objectives for a U.S.-U.K. Trade Agreement” was held by the Trade Policy Staff Committee of the US Trade Representative’s Office. It is clear that the issue of cross border data flows and cybersecurity generally will be addressed in any larger trade deal, but exactly the form this will take is less clear. One witness suggested that the focus would need to be on an adequacy agreement between the US and the UK, on the assumption that the UK would continue to adhere to GDPR standards. Another suggested pursuing an agreement that is “a little bit more cohesive” and works to bring the US, UK and EU all together under one set of standards. A third suggested, instead, that the UK should consider backing away from GDPR standards to make it easier for American companies to do business with the UK.
It may be cliché to say it, but it’s true: elections have consequences. The 2019 UK general election will have major consequences for the UK and for the world—and in an ever-more-connected world, that means there will be consequences for how data is processed, transferred, regulated and secured. What happens in 2020 will soon give us a clearer picture of what those consequences will be.