IIC UK Brexit Series: Data Protection
23 February 2017, London
hosted by squire patton boggs
Data Protection Beyond Brexit – Privacy Legislation and Beyond
Ann LaFrance, Partner Squire Patton Boggs
Bushra Hasnain, Privacy Practice Leader, KPMG
Mikko Niva, Group Privacy Officer, Vodafone
Malcolm Taylor, Head of Cyber Security at G3
With only a month to go until the UK Government invokes Article 50, there is still little certainty on what will happen after Brexit, as discussed in our last event. Our panellists provided a range of perspectives and insights on the possible implications of Brexit for the evolution of the UK data protection regime.
Data plays an increasingly prominent role in our daily lives and has become a focus of regulatory concern as a result. The EU has pioneered data protection regulation and is in the process of a substantial update in the form of the General Data Protection Regulation (GDPR), which will become enforceable before the Brexit negotiations are completed.
The topic was introduced by setting out the legislative landscape, including current and proposed EU legislation that is in the frame, the timelines for adoption and compliance, and what this may mean for the UK after Brexit. Of particular importance in the data protection sphere, the GDPR and Network and Information Security Directive (also known as the Cybersecurity Directive) will become enforceable in May 2018. In addition, the proposed new e-privacy regulation is also intended by the EU Commission to come into force at the same time. This means that the new EU legislation will become enforceable in the UK before Brexit occurs.
As a potential issue relating to the flow of personal data between the EU and the UK after Brexit, the EU data protection “adequacy test” was discussed, which must be applied by the EU Commission under the GDPR to assess whether a country provides “an adequate level of protection” in line with EU data protection norms, including with regard to the scope and supervision of law enforcement access to personal data derived from internet communications.
Our panellists continued in this vein by observing that UK companies are now taking steps to comply with the GDPR in the UK irrespective of Brexit. There are various levels of compliance in which companies find themselves at present, ranging from:
1. Ignoring the situation and hoping that it will go away;
2. Accepting that it will happen, but being oblivious to the effect;
3. Assuming that putting in place a range of legal documents will be sufficient for compliance;
4. Remediating everything and not getting the key aspects sorted in time;
5. Assuming that perfect processes are already in place and the GDPR won’t change anything; and
6. Planning, identifying the risks, prioritising and being pragmatic and realistic.
The conclusion was, unsurprisingly, that the companies which are faring better are those that have adopted the approach of planning, identifying the risks, prioritising and being pragmatic and realistic (the so-called “foxes”).
Businesses should make the effort to comply with the GDPR so as to remain open to exchanging data with the (future) EU-27 market. Our panellists provided a practical overview of the main legal obligations under the GDPR, e.g. those relating to international transfers, data breach notifications, security requirements, and fines. Although Brexit adds a complex lens over the GDPR for the companies based in the UK, it does not remove the need to comply with GDPR.
Next our panellists discussed the trends in the communications market from the provider’s perspective. Technology has changed and is becoming increasingly borderless (for example roaming), and communications providers would like the free flow of data to continue. 5G is a clear example of borderless communications networks and services.
At the same time, personal data has become a focal point of policy and regulation. Companies will need assurance that mechanisms will be put in place to ensure the uninterrupted transfer of personal data into and out of the UK, including for routine functions like employee data and the outsourcing of HR systems. Our panellists discussed options for data-flows post-Brexit. If the UK remains part of the EEA, then it will have to comply with the EU legislation on data protection, which should ensure the continued free flow of data. If the UK opts for a harder Brexit, it will need to seek an adequacy determination from the EU Commission.
In order to obtain an adequacy determination, the UK will need to have conditions for processing which are similar to the GDPR after Brexit. E-Privacy will undoubtedly play a role in obtaining an adequacy determination and the determination process will no doubt take into account the Investigatory Powers Act 2016 in the UK. State surveillance and access to personal data by government authorities are issues that are being considered in relation to the adequacy of existing transfer mechanisms, for example, the EU-U.S. Privacy Shield and the EU standard contractual clauses. It was generally agreed by the panellists that data sharing is fundamental to trade, intelligence, critical national infrastructure and is too important to simply disconnect. It will therefore be necessary to ensure the continued flow of personal data between the EU and the UK.
It was suggested that UK legislation immediately following Brexit will most likely copy the GDPR, but its provisions may evolve in a different direction over time, which could lead to adequacy challenges.
From a security perspective, as it currently stands, the UK relies on two key relationships for sharing intelligence on security threats: the EU and the U.S.. In the current environment, both of these relationships could be threatened, leaving the UK without the information it needs to protect itself.
The issue of the interplay between the Investigatory Powers Act and the GDPR also needs to be considered. The UK Government has only limited resources available to deal with the Brexit negotiations, let alone the looming cybersecurity challenge. Resolving the tension between the GDPR and the Investigatory Powers Act may not be a priority concern.
In the Q&A closing conversation, the meeting participants discussed personal data as a currency, i.e. remuneration for services through provision of personal data, especially for online services. The approach to this question differs considerably as between the US and the EU, and this could put the UK in a difficult position in between the two models. There was also a discussion about the trend towards data sovereignty and localisation and its impact on the internet going forward.
Matt Buckwell & Asel Ibraimova, Squire Patton Boggs
Vice President, International Institute of Communications; Coordinating Partner, EMEA Communications Law; Co-Chair, Global Data Privacy & Cybersecurity; Squire Patton Boggs (UK) LLP
Privacy Practice Leader, KPMG UK
Head of Cyber Security at G3, London
Group Privacy Officer, Vodafone
Click here to view Ann LaFrance's presentation.