The risks of a hard brexit
Regardless of what the UK does with GDPR after Brexit, the biggest threat to data protection is from an exit from the EU without any deal. This is the so-called hard Brexit and fallback to World Trade Organisation rules until a further agreement is reached, or not. It’s the kind of Brexit Theresa May and many inside the Conservative party and Leave camp have called for. As we have seen, the crucial component for the UK after Brexit is to be judged as offering an adequate level of protection by the European Commission.
A hard Brexit with no deal means no assessment of adequacy. Furthermore, the UK cannot apply to the European Commission for an assessment of adequacy, that determination can only be given by the Commission itself. If the negotiations turned sour and both parties decided to walk away with no deal, perhaps due to the estimated €60bn leaving bill, there might not be much goodwill left to speed up a UK adequacy determination for GDPR.
Data transfers to the US take place through auspices of the EU – US privacy shield, which American companies can sign up for to demonstrate they offer an adequate level of protection. This was hastily put together after the previous Safe Harbour scheme was ruled as being inadequate by the European court. It may be that in the event of a no-deal Brexit, the UK can join the privacy shield, allowing companies a one-step registration process to essentially continue doing what they will already have been doing up until the formal exit from the EU.
Trumping the Privacy Shield
While President Trump’s executive order banning citizens of seven mainly Muslim countries from entering the US caused an international outcry, a little-noticed provision in the flurry of executive actions gave cause for concern about the long-term security of the EU-US Privacy Shield.
The Privacy Shield agreement, which enables American companies to self-certify that they comply with European data protection regulations, is vital to ensuring transatlantic data transfers can take place. Over 1,500 businesses process EU data in the US, including Facebook, Twitter, Google and Microsoft.
Section 14 of the order requires the US government to exclude all non-US residents from privacy protections outlined under the 1974 Privacy Act. The order also contains provisions to maximise data sharing between federal agencies, particularly in regards to deportation proceedings against removable aliens (i.e. anyone who is not a citizen or permanent resident).
Furthermore, the US 1974 Privacy Act is already three generations out of date. Any comparison between what privacy protections are offered as standard in a post GDPR EU and the US will shine a shockingly bright light into their shortcomings.
An essential element of the Privacy Shield is ensuring equivalence of privacy protections for European citizens’ data in the US. So a presidential order stripping any privacy protections given by an already outdated privacy framework could see the Privacy Shield invalidated by the European Court, just as the Safe Harbour scheme was.
In the wake of the executive order, EU Justice Commissioner Vera Jourova said: “I need to be reassured that the Privacy Shield can remain… We will continue to monitor the implementation of both instruments and are following closely any changes in the US that might have an effect on Europeans’ data protection rights.”
While the previous Obama Administration and European partners worked quickly to safeguard transatlantic data transfers after the Safe Harbour decision, it remains to be seen whether a bullish Trump Administration bent on protectionism will be so quick to do the same.
Staying compliant with GDPR
What to do:
- Audit the countries that you transfer data to, including within your supply chain
- Review the status of your company’s compliance with GDPR
- Understand how much of your data transfers and those of your supply chain rely on the Privacy Shield
- Consider the risks to your business and operations posed by Brexit and US policy shifts
- Prepare contingency plans in the event of any disruption between the US – UK – EU flow of data