Brexit might be a relevant change for the privacy strategy of several companies, especially those headquartered in the UK, which could consider to change it.
We still need to fully understand the political decisions that will be taken following Brexit, but I tried to outline below the possible scenarios in the format of a Q&As:
Will EU privacy law still be applicable in the UK after Brexit?
The answer to that question depends on whether the UK is going to exit the European Union but remain part of the European Economic Area (EEA), which would make it still subject to European privacy laws. Under such a scenario, as it already happens with Norway, Iceland, Liechtenstein that are not part of the European Union, the transfer of personal data to the UK would remain free and the UK would continue to be treated as the other EU countries when it comes to privacy law.
If not, what will happen to data transfers after Brexit?
If the UK does not remain part of the EEA, it will not be subject to current EU data protection laws and to the upcoming General Data Protection Regulation (GDPR). As a consequence, transfers of personal data to the UK will be considered as non-EEA transfers.
However, as already declared by the UK Information Commissioner, it is quite likely that UK data protection laws will be considered by the European Commission as providing an “adequate” level of protection to personal data. This means that the transfer of data to the UK would remain free as it already happens for many countries such as Canada, Switzerland, and Israel.
Did you enter into the Binding Corporate Rules?
The Binding Corporate Rules (BCRs) are under the current regime and the upcoming regime to be introduced by the GDPR one of the most efficient tools to manage data transfers outside of the EEA. In this respect, I noticed that the vast majority of companies (the list is available here) that adopted the BCRs had identified the UK Information Commissioner as the lead authority.
The approval of the BCRs also requires the approval by the data protection authorities of the other EU member states. But it will be interesting to see the position that the European Commission will take on the matter. Companies might need to appoint a different lead authority merely, or a new approval process shall be initiated? Does it mean that they will also have to move their headquarter?
Will you have to change your GDPR strategy?
One of the critical changes that will be introduced by the European Data Protection Regulation is the one-stop-shop rule. You can read my blog post on the topic here. Essentially businesses will have to identify a data protection authority in their main establishment in the EEA that will act as “lead authority” in case of transnational disputes.
The advantages of the one-stop-shop rule have been diluted if compared to the first draft of the regulation. But if the UK is no longer part of the EEA after Brexit, multinational companies shall identify a different lead authority and potentially even restructure their group.
No matter what, the GDPR will still apply to UK businesses looking at the EEA
Regardless of the scenarios above, UK businesses offering products and services to individuals located in the EEA will yet have to comply with the EU General Data Protection Regulation. I discussed the matter in more detail in this blog post. Still, the applicability of the regulation also to non-EEA entities is one of the most relevant changes that will be introduced.