What Happens to Data Transfers if the UK Leaves the EU?
With the EU referendum campaigns in full swing, we need to discuss the implications of a leave vote on data transfers, and what it would mean for companies.
20 June 2016
Now that the EU referendum campaigns are in full swing, we need to start talking about the implications of a leave vote on data transfers, and what it would mean for companies around the world. Right now, UK companies rely on the UK implementation of the 1995 EU Data Protection Directive (Directive 95/46/EC) — otherwise known as the UK Data Protection Act. But the pending General Data Protection Regulation (GDPR) coming out of the EU means Britain is gearing up to comply with a regulation which would automatically become law in all 28 EU member states. But, without the GDPR and any other directive from Europe, how would a UK government detached from the EU re-evaluate data protection law? More importantly, would it be best to adopt EU law for an easy life anyway?
Putting it bluntly, the UK would face big data transfer issues if it votes to leave the EU. There are two scenarios which could play out. Firstly, the UK could take the European Economic Area (EEA) route (like Norway, Lichtenstein and Iceland) or secondly, being completely separate from the EEA. The first route isn’t likely to cause much disruption. However, the second route would. Under the second route, data transfers from the UK to the EU and vice versa — which happen all the time if you’re in a global conglomerate — would need to be reviewed by the EU to ensure the UK provides something called “an adequate level of protection”. Switzerland had to go through this review, for example. Realistically, if we look at more privacy-aware countries, such as Germany, France and Spain, it is likely they will put up a fight to challenge the UK’s more relaxed approach to data protection legislation. Should the UK not be regarded as having ‘an adequate level of protection’; legally, any transfers to the UK will have to be via EU model clauses. A very administrative-heavy task.
Another sticking point is Binding Corporate Rules (BCRs) — a method by which global organisations can make intra-company transfers — and an alternative to EU model clauses and data transfer pacts such as the EU-US Privacy Shield. Problem is: BCR applications rely on support from European data protection regulators. At the moment, the legal community is keen to know whether transitional rules would be put in place to allow the UK to continue to participate in the BCR process if it is regarded as having an ‘adequate level of protection’. This again restricts global conglomerates trying to find a simple, legal way of transferring personally identifiable information around the world if the process is held up.
Let’s face it: without any practical guidance — and guidance is unlikely to arrive straight away if we do vote leave — global and UK companies will not know what to do for some time and that could result in an increase in technical data breaches: i.e. companies will be operating against the law without realising. Yes: they would technically need to abide by the existing UK Data Protection Act, but it would need to be adapted in sections because parts of the Act would be rendered futile if we leave the EU.