Will Brexit have a significant impact on data transfers involving personal information? While it's hard speculate what the impact will be, it could largely depend on the specific path UK chooses to take once its separation from the EU is finalized.
Because Brexit directly involves the United Kingdom and the European Union, it should mainly affect (if ever):
- data transfers between UK and EU member states;
- data transfers between other countries and UK; and
- data transfers between other countries and EU member states.
Before we talk about the various data flow-impacting scenarios that can happen post-Brexit, let's first discuss the current lay of the land. This is what we know...
Data Protection Directive and Safe Harbor
Today, data exchanges between UK and other EU member states are pretty much seamless. Being part of the European Economic Area or EEA (which consists of EU member states along with Iceland, Liechtenstein and Norway), UK can freely exchange personal data with other EU member states as well as other members of the EEA.
These exchanges are subject to the provisions of the Data Protection Directive, the existing law that governs all data flows involving EU residents' personal data and which harmonizes all data protection laws across the EEA. UK's laws are alinged with this directive through its Data Protection Act 1998 or DPA. This alignment enables the free flow of personal data.
Data exchanges between EEA member states (which currently includes UK) and other non-EEA countries are a bit more complicated. Under the Data Protection Directive, countries that don't belong to the EEA, a.k.a. "third countries", have to meet certain "adequacy" standards. If a third country's data protection legislations are deemed inadequate, i.e. not on par with Data Protection Directive protection, that country would have to undertake special agreements (or other legal mechanisms) with the EEA before personal data of EU residents could be exported to it.
For example, the United States, whose data protection legislations are considered inadequate by the EU, had to go through the Safe Harbor Agreement (recently replaced by Privacy Shield) in order to transfer personal data from EU member states to the US.
What now happens to these exchanges after Brexit?
General Data Protection Regulation
Let's say there won't be any changes in plans and the UK does invoke Article 50 to formalize Brexit. From what we're seeing in the news, Article 50 could be triggered in the next couple of months. By the time Brexit formally takes effect two years from now, a new data protection regime governing cross-border data flows would have already been in place in the EU. That new regime is no other than the General Data Protection Regulation or GDPR, which is slated to replace today's Data Protection Directive.
The arrival of the GDPR doesn't automatically mean the end of seamless data flows between the UK and EU member states. If the UK opts to stay with the EEA, that would mean it's also willing to align its data protection legislations with the GDPR and, hence, data can continue to flow freely. It's if the UK decides otherwise that problems can arise.
If UK also leaves the EEA
Data transfers between UK and EEA member states
If the UK somehow also decides to leave the EEA, it would be treated as a third country and the alignment between UK and EEA data protection regimes would likely come to an end. The GDPR is definitely more stringent than the Data Protection Directive. Hence, UK would not be able to rely on the DPA for alignment. While the UK could come up with new legislation to meet EEA's data protection adequacy standards (which is what Switzerland has been doing), we're really not sure if that's the direction they would take.
This misalignment would mean that companies in UK will no longer enjoy seamless exchange of data with organizations located in EU member states. This can be a problem for businesses in the UK who need to transact with trading partners who operate in the Single Market.
In order for UK-EU data exchanges to continue, the following options can be pursued:
- UK and EU governments can engage in something similar to the EU-US Privacy Shield
- Companies can put in place adequate safeguards and enter into Model Contract Clauses
- Multinational companies can establish Binding Corporate Rules.
Data transfers between other countries and the UK
What if a company in another non-EEA-member country wants to transfer personal data from the UK? In the current set up, that company could be subject to the provisions of the DPA / Data Protection Directive. If that country does not meet adequacy standards, then the same legal options are made available: model contract clauses, binding corporate rules, or something like Privacy Shield.
As for what happens after Brexit gets formalized, everything's up in the air yet for that same company. We don't know how the UK is going to approach data privacy/protection. They could be more stringent (less likely) or more relaxed. It all remains to be seen. A more relaxed data protection regime would of course bode well for businesses, considering that these companies are already transferring personal data while subject to the (relatively stringent) DPA.
Data transfers between other countries and EEA member states
Unlike the previous scenario, this scenario is more predictable because we know what data protection regime applies today and what regime will apply about two years from now. Today, data transfers between third countries and EEA member states are subject to the provisions of the Data Protection Directive. But two years from now, those transfers are going to be governed by the GDPR.
If, like the US, a country's data protection legislations are deemed inadequate, then still the same legal options would be made available: model contract clauses, binding corporate rules, or something like Privacy Shield.