As news of the Brexit vote swept the globe this morning, the response from privacy professionals throughout the EU who have studied the matter has been consistent, if cliché: Keep calm, and carry on.
While the U.K.’s departure from the European Union will clearly have momentous impact on both sides of the equation, it’s not yet quite clear what that impact might be, and, regardless, privacy professionals have a good two years yet to figure it out.
Mark Keddie, CPO at BT, said privacy programs need to be ready for this kind of change in the status quo. The Brexit vote is a big deal, of course, but it’s “just another Safe Harbour,” he said, referencing the gnashing of teeth that resulted following the Schrems decision last year, and which continues today. “As a global facing business, events like this demonstrate the need to have robust assurance frameworks that can absorb external environmental factors without having a detrimental impact on the privacy of customers or the effectiveness of the business.”
[quote]"We now have the certainty of a referendum result, but there are still so many questions that heat of the moment decisions are unwise." - David Evans, DPO and VP, Swiss Re[/quote]
Keddie’s thoughts were echoed by David Evans, DPO and VP at Swiss Re, who was speaking as a practitioner and not delivering the official Swiss Re position. “We now have the certainty of a referendum result, but there are still so many questions that heat of the moment decisions are unwise,” he said. “We simply don’t yet know what a post EU U.K. will look like. Or if there will be a U.K. … The best approach therefore is to continue to ensure that your organization has a data protection framework in place, that it meets, or is aiming to meet, the standards set out in the GDPR, and above all that you are flexible enough across all aspects of your operations to adapt that framework to cope with as yet unknown requirements.”
Similarly, the response to the vote from the U.K. Information Commissioner’s Office noted that maintaining the status quo, along with a continued push toward the GDPR requirements, is sound practice: “The Data Protection Act remains the law of the land irrespective of the referendum result.” The statement went on to note that if the U.K. is not part of the EU, then the GDPR will not apply, “But if the U.K. wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words U.K. data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
“In the end,” counsels Kim Smouter, head of public affairs and professional standards at research membership association ESOMAR, “the U.K. will remain an EU Member State for some time whilst the details are worked out. I assume once this is done, adequacy will be a top priority if only to keep access to the digital single market!”
Further, said Rocco Panetta, partner at Nctm law firm in Italy, “As far as the GDPR and the current privacy system are concerned, besides the fact that we have two years ahead, both for the full entering into force of GDPR and for the Brexit negotiations, at the same time we cannot forget that U.K. has grown in the last 40 years within the EU and therefore we can’t absolutely imagine that years and tons of laws and case laws can be canceled by a vote. The internet and the digital exigencies will oblige the U.K. to converge on EU rules on privacy exactly as the U.S. is doing to certain extent.
[quote]"The internet and the digital exigencies will oblige the U.K. to converge on EU rules on privacy exactly as the U.S. is doing to certain extent." -Rocco Panetta, Partner, Nctm[/quote]
“In addition,” he continued, “never forget that we already have a fortress within the heart of Europe, which is outside of the EU: I am talking about Swiss. Let’s start to imagine a world of relationship between EU and the U.K. like those already existing between EU and Swiss.”
Yes, there will be some within the U.K. who will make noise about freeing themselves from the GDPR’s obligations. “Expect to see Eurosceptic Tories wanting DP legislation to be included in their inevitable bonfire of EU laws,” said Emma Butler, senior director for privacy and data protection at RELX Group. “Hopefully more informed MPs will make the case for this not being the smartest idea.”
“Some might argue that not being liable for the GDPR would be an additional benefit for businesses” following Brexit, agreed Mark Thompson, KPMG’s U.K. privacy practice leader, in remarks to Bloomberg. “In reality, this is a false hope,” though. “The reality is that Britain needs to trade with the EU and trade these days is becoming increasingly reliant on personal information.”
Indeed, write Francis Aldhouse, consultant to law firm Bird & Bird and former UK Deputy ICO, and Bird & Bird International Data Protection Practice Co-Head Ruth Boardman in an advisory provided to the IAPP, “For the moment, continue to plan on the basis that the GDPR will apply to you either because the U.K. will be part of the [European Economic Area] or, if you are processing EU data, because it will apply on a long-arm basis and because you will be required either by standard contractual clauses or some other instrument to give that personal data ‘adequate protection’ as defined in the GDPR. Let us hope the fog quickly clears.”
How quickly might it clear? The EU is clearly motivated to get things underway. In a joint statement from EU Parliament President Martin Schulz, European Council President Donald Tusk, Holder of the Presidency of the Council of the UE Mark Rutte, and European Commission President Jean-Claude Juncker, the collected leaders write, “We now expect the United Kingdom government to give effect to this decision of the British people as soon as possible, however painful that process may be. Any delay would unnecessarily prolong uncertainty.”
[quote]"We now expect the United Kingdom government to give effect to this decision of the British people as soon as possible, however painful that process may be." -Juncker, et al[/quote]
They point to Article 50 of the Treaty on European Union, which sets out the rules for departure. “We stand ready to launch negotiations swiftly with the United Kingdom regarding the terms and conditions of its withdrawal from the European Union. Until this process of negotiations is over, the United Kingdom remains a member of the European Union, with all the rights and obligations that derive from this. According to the Treaties which the United Kingdom has ratified, EU law continues to apply to the full to and in the United Kingdom until it is no longer a Member.”
However, writes Milbank partner Joel Harrison in an advisory supplied to the IAPP, “It currently isn’t clear whether the U.K. will invoke the formal withdrawal process or use the Brexit vote as a means to enter into a wholesale renegotiation of the U.K.’s relationship with the EU, but the Prime Minister has previously made clear that he expected the formal withdrawal process to be followed if the U.K. voted to leave the EU.”
Of course, U.K. Prime Minister David Cameron took the occasion of the Leave vote to announce that he’ll be stepping down from his post by October. So it may very well be former London Mayor Boris Johnson or another Vote Leave leader who makes that decision and guides the U.K. into the future. And things could be further complicated by Scotland leaving the U.K., which Scottish First Minister Nicola Sturgeon has said she is determined to do, so that Scotland can remain in the EU. Expect another Scottish independence vote in the near future.
Yes, there is uncertainty in abundance for privacy professionals, as there is for everyone watching the U.K. today, but there is also a relatively clear path: Keep calm and carry on with what you’re already doing.
Photo credit: Westminster via photopin (license)