The United Kingdom’s (“UK”) June 23, 2016 vote to leave the European Union (“EU”), known as “Brexit,” is a long way off from taking effect and is estimated to take at least two years before the UK is subject to the data security requirements imposed by the EU.
Turning to the EU’s General Data Protection Regulation (“GDPR”) set to take effect May 25, 2018, legal standards surrounding international data security are expected to be significantly heightened. Specifically, GDPR implements various provisions relating to the privacy of personal information of the citizens of EU member states. GDPR applies to all data controllers and processors who “offer goods and services” within the EU.
The GDPR promulgates a host of factors to determine the law’s application, such as whether the company’s website is in a language of a EU member state, or the company is receiving payment in the currency of a EU member state. The GDPR will focus on the jurisdiction of the individual whose data is being collected, rather than the location of the company or its servers.
Currently the UK’s data protection laws are over a decade old. However, in preparation of Brexit, the UK’s Information Commissioner’s Office last week published a new Code of Practice on Privacy Notices, Transparency and Control (“Code”). The Code, although not binding British law, provides practical guidance to companies looking to maintain compliance during the period of overlap between Brexit and the effect of GDPR. Among other nuances, some examples of the Code’s guidance include: (1) a layered approach to effective conveyance of privacy information to the individuals whose information is being collected; (2) preference management tools for individuals to control how their information is used and shared; and (3) implementation of a privacy impact assessment to review the potential impact that large scale analytics will have on the individuals whose data is being processed.
It is unclear if the British Parliament (namely the House of Commons) will be required to consider and authorize the withdrawal of the UK from the EU. Separately, a vote is pending in the British Parliament to consider adopting GDPR, in whole or part, as a matter of law. If adopted by Parliament, GDPR may provide for consistency in the standards of data processers abroad.
UK companies, like many other global companies, are evaluating how they can comply with GDPR, especially with the likely extraterritorial enforcement of these new international data privacy laws. Specifically, the European Court of Justice has previously hinted at the likelihood of the validity of extraterritorial enforcement of international data privacy laws in Case C-131/12, Google Spain SL v. Agencia Española de Protección de Datos (May 13, 2014). There, the Court found that a United States data processing company was liable under Spanish laws for processing the web-browsing activities of Spanish citizens in Spain.
Due to the extraterritorial reach and effect of the GDPR and the likelihood of its international enforcement, the UK will likely not be permitted to be a “safe haven” for companies that process data of citizens of EU member states. Even with the uncertainty of the British Parliament’s adoption of GDPR or a similar heightened data privacy standard, and notwithstanding Brexit, international data processors should implement procedures that are compliant with GDPR to continue operations without the threat of international repercussion, liability or penalties. Fortunately, through issuance of the Code, the British Government has provided helpful, practical advice regarding how companies may try to comply with the privacy aspect of GDPR.