IIC UK Brexit Series: Data Protection
INTERNATIONAL INSTITUTE OF COMMUNICATIONS
UK CHAPTER EVENT
23 February 2017, London
HOSTED BY squire patton boggs
A data island? Britain’s data protection regime after Brexit – early considerations
As discussed in the IIC’s first Brexit-themed discussion on November 16, the future shape of the UK’s ICT policy will very much depend on what form of BREXIT is ultimately agreed between the UK and the EU-27. Will Britain go it alone and rely on its membership of the WTO? Or will the two sides follow the Norwegian model (EEA), the Swiss Model (EFTA) or some other form of bilateral arrangement that retains some degree of special trading relationship between Britain and the Continent? If some form of economic trading market is retained, will it include special provisions relating to data protection and cross-border data flows?
Commentators (on both sides of the Channel) seem to agree that due to the crucial economic (and other) interests underpinned by cross-border data exchanges, it will be necessary to ensure the continued flow of personal data between the EU and Britain. The risk is that UK companies could face extra burdens to operate across borders after Brexit, unless the country's privacy standards adhere closely to the bloc's new privacy legislation, as the UK’s DPA Information Commissioner Elizabeth Denham explained in November. This would mean that UK rules on data protection and privacy will have to be “essentially equivalent” to those set out in the EU General Data Protection Regulation, in order to benefit from cross border data transfers. That might also entail having to “apply” for adequacy as a “safe haven”.
Similarly, the UK’s approach to data retention will need to ensure that the provisions of instruments such as the Investigatory Powers Act do not allow for what the EU Court of Justice has characterised as “indiscriminate surveillance and interception carried out on a large scale,” in violation of the rights and freedoms of individuals. Otherwise, the UK may find itself in the same difficult position as the United States vis-à-vis the negotiation of cross-border data flows with the EU-27.
This poses the question of whether the UK would have any influence on its privacy legislation in the future, or will simply have to effectively adopt the rules adopted by the EU-27, in order to continue trading smoothly with the bloc.
Yet some have argued that there may be positives: a bold approach could see the UK be free to evolve its regulatory approach to the dynamically changing technology landscape in ways that could give it an innovation edge over continental Europe. Could the change then also open opportunities for closer relationships with countries in other parts of the world, for instance with the UK looking to adhere to other regions’ privacy models, such as the APEC privacy guidelines framework?
It is still early in the Brexit process, and it is important to think of and prepare for potential future scenarios in the field of privacy and data protection, as they risk impacting the UK economy and society as a whole in major ways. Will we need to negotiate a UK-EU Privacy Shield? And/or be will we forced into adopting EU legislation de facto in order to retain the UK’s ability to exchange data with the EU bloc?
IIC members and panellists will debate these questions on February 23. To register, click here.
Coordinating Partner, EMEA Communications Law; Co-Chair, Global Data Privacy & Cybersecurity; Squire Patton Boggs (UK) LLP; Director, International Institute of Communications
Chief Privacy Officer & Head of Data Protection Unit, Danish National Police
Head of Cyber Security at G3, London
Privacy Practice Leader, KPMG UK
Group Privacy Officer, Vodafone