Originally published in Thomson Reuters’s Westlaw Journal on September 9, 2016.
Companies doing business abroad should reassess their data policies in light of the newly-enacted EU-U.S. Privacy Shield and the potential outcome of the UK’s decision to leave the EU.
The UK-EU membership referendum of June 23, 2016, popularly termed “Brexit,” has sent shockwaves throughout the world since the final vote was tallied. Political commentators, economists and various pundits have speculated as to the implications of Brexit, particularly in the areas of free trade, migration and regional security. This speculation has caused, among other things, a change in leadership in the UK, and the largest worldwide stock market drop in history.1
Despite all of the publicity surrounding Brexit, little thought has been paid to the effects of this referendum on international data privacy laws. Despite this lack of attention, however, the implications of Brexit on international data privacy laws, and on companies doing business within the UK and the EU, will be significant.
Safe Harbor to Privacy Shield
The global nature of the internet has resulted in many conflicts of law amongst jurisdictions, most notably between the United States and European countries. Much of Europe, including the entire EU, places a strong emphasis on protecting their citizens’ personal data. These countries generally require entities operating in any way within their jurisdictions to ensure that citizens know when their personal data is collected, how their information is being used, who their data is being transferred to, and for what purpose is it being transferred. These countries also allow their citizens to request that the personal information that was collected from them be deleted at their request. This is known common as “the right to be forgotten.”
The United States, while not completely devoid of data protection laws of its own, generally does not afford safeguards as extensive as those found in European countries.
The EU’s privacy laws apply to all “data controllers.” Data controllers refer to any entity that processes or stores EU citizens’ personal information and has some sort of physical presence in the EU.2
This physical presence requirement is rather broad. For example, it can mean having an office or server located in the EU. However, in some cases, an entity can reach this threshold simply by leaving cookies, or tracking data, on an EU user’s computer when they visit a website.3 This broad definition means many U.S. companies that do some business in the EU, or otherwise interact with EU customers, must comply with EU data privacy laws.
In order to streamline the process for U.S.-based data controllers to meet these strict EU data privacy requirements, in 2000, the European Commission and the U.S. Department of Commerce instituted U.S.-EU Safe Harbor. This agreement between the EU and the United States permitted transfers of personal data located in the EU into the United States as long as data controllers self-certified they complied with certain principles related to the collection and use of the EU user’s personal data. These principles involved notice, choice, onward transfer, security, data integrity, access and enforcement.
However, in October 2015, the European Court of Justice invalidated U.S.-EU Safe Harbor on the basis that it did not provide sufficient protection of the personal information of EU citizens. In July 2016 the European Commission and U.S. Department of Commerce fully implemented the new EU-U.S. Privacy Shield, which allowed for additional safeguards to protect the personal data of EU citizens above and beyond the U.S.-EU Safe Harbor agreement. Notably, the EU-U.S. Privacy Shield strengthened the principle of “onward transfer” by requiring that third parties to whom the data was transferred must maintain Privacy Shield principles as well.
As with the U.S.-EU Safe Harbor, however, EU-U.S. Privacy Shield is only applicable to members of the European Union (as well as Iceland, Lichtenstein and Norway), and as such it will not apply to the UK once Brexit happens. This raises the question of what will happen to the personal data of UK citizens after Brexit, and how the exit will affect U.S.-based companies doing business in the UK and EU.
UK privacy laws after Brexit?
While the UK is generally more laisse-faire with respect to regulation compared to the countries of mainland Europe, it still takes its data privacy very seriously.
For example, in 1998, prior to the institution of the U.S.-EU Safe Harbor, the UK Parliament passed the “Data Protection Act of 1998,” a law on how to process data of UK citizens. The Data Protection Act is considered generally similar to the various individual data protection laws of the other EU member states.
Accordingly, it is unlikely that the UK will curb its data protection laws after leaving the European Union. In fact, the UK’s Information Commissioner’s Office, or ICO, has already said that the current data protection laws in the U.K. will not change after Brexit happens. The ICO explained that if the U.K. wants to maintain agreeable trade terms with the European Union, the UK privacy laws must remain on par with those found in the EU member countries.4 As such, it is likely that the privacy laws of the UK will remain equally stringent post-Brexit.
What will replace Privacy Shield in the UK?
As the UK will no longer be an EU member, the EU-U.S. Privacy Shield will no longer apply to U.S.-based data controllers doing business within the UK. To remedy this issue, the UK will have to institute a bilateral agreement akin to EU-U.S. Privacy Shield in order to avoid disrupting any cross-border business relationships with the United States.5
The matter of how the UK opts to institute such an agreement is still up for debate.
One possible option for the UK is to perhaps follow the lead of Iceland, Liechtenstein and Norway and continue to participate and be subject to the EU-U.S. Privacy Shield, despite not being a member of the European Union.
Another possible course of action for the UK is to adopt the practice of Switzerland, which has been operating a data privacy agreement with the United States independently from the EU. In 2009, Switzerland, which is not a member of the EU and thus not bound by the U.S.-EU Safe Harbor, reached a similar agreement with the United States, known as the U.S.-Swiss Safe Harbor. This U.S.-Swiss Safe Harbor agreement includes all of the tenets and safeguards found in the U.S.-EU Safe Harbor, but also included several provisions that were catered to the specific needs of Switzerland.
For example, while the U.S.-EU Safe Harbor (and now Privacy Shield) only affords protections to EU citizens, the U.S.-Swiss Safe Harbor also applies to Swiss corporations and other legal entities. It is possible the UK, with its robust corporate climate similar to that of Switzerland, will also adopt a similar directive should they choose to reach a separate data privacy agreement with the United States.
Regardless of which of the above courses of action the UK takes, U.S.-based data controllers will still have to ensure they are following UK law when dealing with the personal data of UK citizens.
Does my company even have to worry about Privacy Shield?
Before a U.S.-based company begins rifling through the complex regulatory framework of international data privacy compliance, they must first determine if they are even subject to the EU’s data privacy laws, as well as those of the UK, Switzerland and other jurisdictions that contain strict data privacy laws.
Generally, these laws will only apply to your company if it is considered to be a “data controller.” As mentioned earlier, this definition is very broad, and can include activities such as having a server in the relevant territory, or collecting cookies, i.e. data generated by a website and saved by your web browser on your computer, from a user accessing your company’s website from one of the relevant countries abroad.
If your company does not take any of these measures, for example by maintaining servers in the United States and not collecting cookies or other personal data from European users, your company likely does not have to worry about complying with these data privacy laws.
Assuming that your company is considered to be a data controller, there are also a limited number of options for avoiding the need to certify under the EU-U.S. Privacy Shield (and presumably any potential U.S.-UK agreement).
One such option to consider is requesting that the EU user provide “affirmative consent” to the transfer of their data outside of the EU (e.g. through an “I agree” pop-up on the data controllers’ webpage). This affirmative consent, which presumably would also be available in a potential U.S.-U.K. Safe Harbor type arrangement, must be received every single session in which data is collected from a user, and consent can be revoked by the user at any time. Accordingly, this method is really only practical for companies that only collect data infrequently from EU users, and maintain controls to delete this data on command.
How do these changes effect U.S. companies doing business in the EU and UK?
Assuming that your company is considered a data controller in the EU and UK, and it would not be practical to obtain affirmative consent every time you collect a user’s personal data from these territories, then your company must evaluate how the EU-U.S. Privacy Shield, and any potential similar agreement between the United States and the UK, affects your data collection, transfer and storage procedures.
For example, if the UK follows Switzerland’s lead and reaches an independent data privacy agreement with the United States, it is possible that the UK would no longer be considered part of the “European Economic Area” with respect to data transfers. If this turns out to be the case, your company may no longer be able to process data of EU citizens within the UK without taking additional precautions.
A potential U.S.-UK data privacy agreement may also include additional terms above and beyond those found in the Privacy Shield. For example, it is very possible that the UK mimics Switzerland and pushes to extend their data privacy laws to protect corporate users as well, forcing your company to account for these entities in your data management plan.
On the other hand, if the UK were to instead remain a party to the EU-U.S. Privacy Shield, in all likelihood the above scenarios would not play out.
If your company is doing business in Europe, ensuring compliance with international data privacy laws is critical. Notwithstanding the uncertainty surrounding Brexit’s impact on international data privacy law, restrictions on data management and transfer across borders are here to stay. That is why it is so important to consult with attorneys with experience in EU data privacy compliance prior to expanding your business into Europe.
1 Javier E. David, Brexit-related losses widen to $3 trillion in relentless 2-day sell-off, CNBC, June 27, 2016, http://cnb.cx/2aRvRhI.
2 The recently enacted General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will be implemented on May 25, 2018, will eliminate this “physical presence” requirement. As such, any entity that processes or stores EU citizens’ personal information will be subject to EU privacy laws.
3 See Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based web sites, 5035/01/EN/Final WP 56, available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2002/wp56_en.pdf
4 Claire Hopping, Data protection laws will not change following Brexit vote, IT Pro, June 27, 2016, http://bit.ly/2b3CQ8n.
5 It is also likely that the UK will have to reach a similar understanding with the EU, although such an agreement would be fraught with much less difficulty, as both parties would generally employ the same safeguards with respect to data privacy.