This article has created great debate amongst our membership and the privacy community regarding BCRs, lead authorities, and mutual recognition. Following its publication, the Information Commissioner’s Office published a blog stating, “It’s important to note that no BCR authorisation will be cancelled because of Brexit. The ICO will continue to work together with other European data protection authorities for international transfers to be achieved and to ensure that the ICO’s leading expertise in BCR is continually available to the international controller and processor community.” The IAPP will continue to monitor this issue and keep you abreast of the latest Brexit and BCR news.
Brexit has the potential to invalidate U.K. lead-authorized BCRs. If you don't know: BCRs are a set of European data protection standards which enable private multinational companies to legally export data belonging to citizens of the European Economic Area (EEA) data. Disrupting BCRs would disable operations of multi-billion dollar businesses, which would affect markets on a global scale.
Here is the logical breakdown of this conundrum. If the U.K. is not in the EEA (comprising the EU and members of the European Free Trade Association, minus Switzerland), the European Commission has indicated the U.K's data protection authority, the Information Commissioner's Office, cannot be a BCR lead authority. If the U.K. cannot be a BCR lead authority, all U.K. BCRs may be invalidated. So businesses that currently rely on U.K.-approved BCRs will be prevented from exporting EEA personal data from any mutual recognition countries which relied on those BCRs.
This issue of whether BCRs will be invalidated in the wake of Brexit is a crucial one that has been largely overlooked, despite the potential to affect global markets. While conclusions can only be speculated with the limited information we have, the time to unpack and consider these theoretical conclusion is now.
What we know
We know that BCRs are a crucial adequacy mechanism for exporting Europeans' data, and their validity is implicated in the Brexit fallout. While no guidance has been provided regarding exactly how the EU will handle this newly presented issue, there is no doubt that the issue exists.
In order for a business to possess legally adequate BCRs, EEA data protection authorities, including one lead authority, must sign off on them. Once the lead authority determines a company's BCRs meet Article 29 Working Party criteria, all DPAs with mutual recognition will also (ostensibly) authorize the business to export their personal data. Other adequacy mechanisms do exist to enable these types of data transfers (standard contractual clauses, for example), but many business engagements rely solely on BCRs, which is why this issue is so crucial.
Currently, 21 out of 88 BCRs found to meet the Article 29 criteria are U.K. BCRs. This works out to roughly 24 percent of all BCR-compliant companies. Among these corporate giants are CitiGroup (worth $164.3 billion), BP (worth $144.70 billion), American Express (worth $70.1 billion), Ernst and Young (worth $29.6 billion), and Motorola (worth $11.9 billion). If their BCRs are invalidated, they will likely lose mutual recognition status and be forced to halt any business that involves exporting EEA citizens' data to be processed in any way.
We also know that notice is required to leave the EEA, and the U.K. has not provided explicit notice to do so, beyond its Article 50 Brexit letter.
What we don't know
We do not know how the EU, the EEA, nor the U.K. will respond to this predicament. Even the threshold issue of whether BCRs with multiple DPA signatories could remain legitimate without their U.K. lead authority has not been publicly contemplated by any party.
It is also unclear what the U.K.’s policy is regarding the future of their data protection regime. Since the March 27 Article 50 Brexit letter was sent, U.K. authorities have offered conflicting guidance on their next moves. On one hand, the U.K. Information Commissioner Elizabeth Denham has stated, “I don't think Brexit should mean Brexit when it comes to standards of data protection ... In order for British businesses to share information and provide services for EU consumers, the law has to be equivalent.” This indicates that the U.K. will attempt to remain in the EEA and a BCR lead authority.
On the other hand, Prime Minister Theresa May has been adamant about respecting the June 23, 2016 Brexit vote to the fullest extent, stating, “We are going to be a fully independent, sovereign country — a country that is no longer part of a political union with supranational institutions that can override national parliaments and courts.” This indicates that the U.K. will leave the EEA and lose status as a BCR lead authority.
We also do not know whether the U.K.’s Article 50 Brexit letter serves as implicit notice to quit the EEA agreement, despite being devoid of any reference to the EEA.
It is also unknown exactly how much the world economy would be affected by invalidated BCRs. This depends on each business’s reliance on exporting EEA personal data for their operations and whether they have disaster-management strategies in place to avoid such a compromising scenario.
To kick-start the international discussion on this issue, here are four possible post-Brexit BCR fallout scenarios to consider:
Nothing changes. The U.K. continues business as usual as a BCR signatory and the EU amends its rules to accommodate this situation. For example, the EU could amend the Article 29 Working Paper’s BCR criteria to allow the U.K. as an exception to the "only EEA member states can be signatories" rule. This would be the best case scenario for businesses with U.K. BCRs.
The EEA decides the U.K.’s Article 50 Brexit letter provided implicit notice to leave the EEA, resulting in the U.K.’s ultimate dismembership from the EEA. The U.K. may then decide to appeal to join the EFTA or join the EEA as an independent nation. Whether it would do that, whether that would be allowed, or how long that would take is all speculation at this point.
The EEA decides the U.K.’s Article 50 Brexit letter did not provide implicit notice to also leave the EEA. From here the U.K. could decide it does want to file notice, if it believes remaining within the EEA would be inconsistent with its Brexit policy. If the U.K. does file notice and leaves the EEA, it could still appeal to join the EFTA. Again, it’s anyone's guess whether it would do that, whether that would be allowed, or how long that would take.
The EU simply decides it’s impossible for the U.K. to support a BCR post-Brexit, rendering any U.K. BCR invalid. This would be the worst case scenario for businesses relying on U.K. BCRs.
What can be done?
The lack of clarity on this issue begs for risk-mitigating measures to be taken, not a wait-and-see approach. Starting today, global businesses must grant this issue serious consideration and adopt their response plans accordingly.
The best remediation plan for businesses with U.K. BCRs would be to apply for a new BCR lead authority as soon as possible. This strategy avoids compromising any business operations, no matter what scenario plays out. Potential operational and financial problems consequently raised by this Brexit-BCR issue would be effectively avoided.
To begin the process of designating a new authority, it is likely a company should go through the same process they did in designating the U.K. as a lead authority in the first place. Visit the EU website for further guidance and consider Article 56 of the upcoming General Data Protection Regulation, which establishes the competence of lead authorities. Every business should consider their partners' and third-party vendors' data protection regimes to determine whether this Brexit shift will tangentially affect their business operations.
If you want to comment on this post, you need to login.