Amid news of Brexit, UK ICO seeks to provide reassurance
As the world began to grapple with the implications of the UK’s vote to withdraw from the European Union, or “Brexit,” the UK Information Commissioner has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy.
Because the UK’s Data Protection Act was adopted to be consistent with the current EU Data Protection Directive, EU-type data privacy principles will certainly continue to apply, with perhaps a greater dose of British common sense. That means that data flows from the UK to the US will likely still need to be authorized under future UK-versions of “model contracts” or binding corporate rules. The US and UK may even agree to a data transfer agreement modeled on the forthcoming Privacy Shield. While there could be policy support on both US and UK sides for a US-UK framework that is less onerous than the highly rigorous new Privacy Shield, the UK will likely have an incentive to demonstrate to the EU that the data flows it receives from EU Member States will not be onward transferred to the US pursuant to less stringent terms. Indeed, the UK Information Commissioner’s Office statement has already indicated that the UK may seek an “adequacy” determination from the EU under the new General Data Protection Regime.
For companies that have obtained approval for BCRs with the UK ICO as the lead EU data protection authority, or are in the process of doing so, there will need to be some sort of transition process that will inevitably be complicated. The UK may strive for status that is similar to that of Switzerland on data protection matters – namely, maintaining a parallel regime to that of the EU. In short, the unwinding and re-winding of UK data transfers to and from the EU and EEA countries, and to the US, will be pretty confusing for a while before it stabilizes. It also seems possible, however, that the EU will not take Brexit as an impetus to double-down on unduly prescriptive privacy regulations, such as the 72 hour-breach notice requirement. Somehow the EU needs to make good on its commitment to promote Europe’s own digital economy and the loss of the UK may help focus the mind. Perhaps the silver lining will be a move towards greater international convergence on regulatory policy, and more reasonable harmonization on privacy.
Of course, it would be even safer to predict that there will be highly unpredictable impacts on data protection as well as everything else affected by Brexit.