As Britain prepares to leave the European Union, privacy professionals on both sides of the ocean may find their lives becoming more complicated. The Brexit referendum leaves the U.K. in tumultuous state as the world waits to see how the exit proceeds. Britain may now have to negotiate new, separate agreements both with the EU and the U.S., requiring that international companies comply with multiple sets of data privacy regulations.
This turmoil creates changes for organizations on both sides of the Atlantic Ocean. U.S. and EU companies will need to quickly adapt to the changing U.K. privacy environment and be prepared to approach U.K. privacy issues separately than those of EU member states. British companies will need to come up to speed on their "less favored" status when they suddenly find themselves outside of the EU privacy umbrella.
Data sharing agreements
On October 6, 2015 the European Court of Justice invalidated the EU-U.S. Safe Harbor agreement on the grounds that the agreement allowed American government authorities to gain routine access to Europeans' online information. This led to one of the new data privacy regulations, the EU-U.S. Privacy Shield framework for transatlantic data flows, which imposes stronger obligations on companies handling Europeans' personal data. This framework was an attempt to restore business as usual and, if it passes, it will restore the flow of information between EU and U.S. entities.
If Britain leaves the European Union, it will find itself outside of the Privacy Shield agreement negotiated between the EU and the U.S. If the U.K. chooses to continue to apply privacy protections similar to those currently used in data privacy regulations in the EU, the U.S. and the U.K. will need to adopt a separate agreement, which may wind up being modeled after the Privacy Shield. This uncertainty will put a significant burden on businesses seeking to expand operations within the U.K.
What will happen with GDPR?
The new EU General Data Protection Regulation (GDPR) is also due to come into force in 2018. Companies around the world were already preparing to comply with the GDPR throughout the EU and will now need to see how changes in British law affect those efforts. There are two likely courses of action for the U.K. First, Britain could decide to simply adopt the GDPR framework, independently of the EU. Second, the U.K. could decide to develop its own data privacy regulations or framework. Either way, there will likely be changes afoot.
Organizations working with the private information of U.K. residents should adopt a wait-and-see attitude on this issue. There are simply too many changes ahead to make any other response reasonable. Proceeding with GDPR compliance efforts seems to be a prudent strategy, especially for organizations that must comply with the data privacy regulations in other EU member states. Britain's departure from the EU won't take place for at least a couple of years, preserving the status quo from a regulatory perspective. The eventual withdrawal will leave many regulatory gaps, affecting many more issues than data privacy, and the U.K. will need time to react. Organizations should therefore still closely watch the unfolding of Britain's exit from the EU, but there is little action to be taken from a cybersecurity perspective in the immediate future.
How to stay compliant in life after Safe Harbor
Find out how regulators feel about Privacy Shield
Learn why some experts think Privacy Shield is imperfect and incomplete