The European Union is preparing for a major upheaval in its data protection laws next year -- but that's not the only worry for businesses exporting the personal data of EU citizens: There's also Brexit to content with.
A new round of negotiations set to begin Monday is expected to address the legal basis on which businesses may send personal information to or through the U.K. after the country leaves the EU.
Businesses may only export EU citizens' personal information to jurisdictions that the European Commission has determined offer an equivalent standard of privacy protection to that available under EU data protection law. That will still be the case after the General Data Protection Regulation (GDPR) enters effect on May 25, 2018. A separate directive on the protection of data processed for law enforcement purposes is due to become law earlier that same month.
But businesses around the world should also be planning for the effects of Brexit, the British exit from the EU, particularly if they send EU citizens' personal data to or through the U.K. for storage or processing.
On March 29, 2019, the U.K. will cease to be part of the EU and, barring any agreement or arrangements to the contrary, the export of personal data from the EU to or through the UK will be banned.
The U.K. government is hoping to convince the Commission that U.K. law post-Brexit will provide sufficient privacy protection, and is seeking an "adequacy decision" that will allow the data transfers to continue unabated.
Late last week the government published a slim discussion paper seeking to play up the importance of data transfers in determining the U.K.'s future relationship with the EU. It's light on detail: just 15 pages to address future compliance with all existing EU data protection law and the 260-page GDPR that will replace much of it next year.
The flow of personal information contributed around 2 percent of EU gross domestic product (GDP) in 2015, and that will rise to 3 percent in 2020, according to Commission figures cited in the U.K. document. The government estimates that 75 per cent of the U.K.'s cross-border data flows are with EU countries.
While the EU is important to the U.K.'s data economy, the U.K. also accounts for a disproportionately large chunk of cross-border data flows worldwide -- 11.5 per cent in 2015, although it accounts for just 0.9 percent of the world's population and generates just 3.9 percent of its GDP.
Businesses that don't want to bet on the outcome of the U.K.'s negotiations with the European Commission have other options to ensure that they can continue moving their customers' and employees' personal information through the U.K.
They're essentially the same options that businesses exporting data to the U.S. had in the limbo period between the suspension of the Safe Harbor Agreement and the introduction of the Privacy Shield.
They include the use of model contract clauses on data protection approved by the Commission, the adoption of binding corporate rules for intra-company transfers, and obtaining the informed consent of data subjects to the export of information about them.
With an adequacy decision, the governments reach an agreement that applies to everyone equally. The downside of the alternatives, especially for small businesses, is that the companies have to do all the legal work, drawing up the agreements and demonstrating their compliance.
The U.K. government hopes to convince the Commission that its laws already provide adequate privacy protection and that, post Brexit, it will ensure they continue to do so even after the introduction of the GDPR and the directive on law enforcement use of personal data.
One sticking point in the negotiations may be the U.K.'s introduction in November 2016 of the Investigatory Powers Act, nicknamed the Snoopers' Charter. It opened the way for a thousands of police officers and tens of thousands of tax inspectors to see which websites citizens are visiting, among other personal information that telecommunications operators will be obliged to collect and retain for inspection. The law also grants information access to officials at the government bodies that pay unemployment benefits and old age pensions, and that regulate gambling, farm workers, food health and air safety.
In December the Court of Justice of the European Union ruled that similar powers introduced under an earlier law, the Data Retention and Investigatory Powers Act of 2014, were incompatible with EU law. Although the ruling did not directly address the 2016 act, it clearly shows which way the court would lean if asked its opinion. Whether that will happen before the UK leaves the EU remains to be seen.