Fears that global markets would tank in the days since the U.K. moved to exit the EU have eased, but the shocking vote has still left companies that handle personal data in an uncomfortable limbo.
How to appropriately regulate privacy is historically one of the biggest sticking points between the U.S. and Europe, where it is a fundamental right under the EU Charter.
Up until now, the 28-nation bloc has largely acted as a unit. But the so-called Brexit vote has raised questions about whether the U.K. will diverge from a pair of key policy changes that are on the horizon in the EU.
Both have a substantial impact on U.S. businesses of all stripes that operate across the Atlantic.
One is the so-called Privacy Shield, a pending agreement between Europe and the U.S. that allows American firms to legally handle EU citizens’ data.
Over 4,000 companies — from social media to hospitality — relied on its predecessor to transfer personal information across the Atlantic. While many have shifted to alternative legal mechanisms to handle data, businesses have complained that they’ve been left in an expensive purgatory while negotiators deliberate a replacement.
European approval of the draft pact struck in February has largely been stymied by concerns that it places insufficient limits on U.S. surveillance practices. It faces a vote amongst the EU member states as early as next Monday.
Several privacy lawyers who spoke to The Hill are tentatively confident that the Brexit vote will give a boost to the fledgling deal. In the face of economic turmoil across Europe — especially in the financial sector — lawmakers will be hesitant to introduce further uncertainty by voting down an agreement many see as vital to transatlantic trade, valued at over $1 trillion in 2014.
“In the short term, Brexit probably makes approval by the European Commission of the latest proposed Privacy Shield a foregone conclusion,” said Andy Roth, former chief privacy officer at American Express and currently a partner in Cooley's Privacy & Data Protection practice group. “This is a way to remove some of the uncertainty and show that the U.S. and Europe are united.”
But what happens after that is much murkier. Even if the Privacy Shield is approved, it will almost certainly face legal challenges from privacy advocates like the one that brought down the original agreement in October.
In fact, legal experts say, the European high court could very well strike down the new deal before the U.K. actually exits the EU.
In that case, there is a scenario in which the U.K. may decide to continue allowing data transfers under Privacy Shield.
That could introduce some wrinkles in the U.K.’s relationship with the rest of Europe — at risk of fracture as other nations weigh “leave” referendums of their own.
“There is a chance that Europe would resist treating the U.K. the same way as a European member state because it might incentivize other markets to break off,” Roth said.
The second significant data policy change on track for adoption in the EU is a massive regulation aimed at boosting individual citizens’ control over their personal data. The so-called General Data Protection Regulation, or GDPR, is set to take effect in 2018.
Onlookers expect the U.K. to simply adopt the GDPR as written — ”the path of least resistance,” according to Susan Foster, a privacy attorney at Mintz Levin who works in both the EU and the U.S.
“My view is that the UK. would find it very challenging to adopt privacy laws that were materially different from the European Union’s privacy laws,” Foster told The Hill. “The U.K. is going to want to continue to be able to share personal data without constraints with Europe going forward.”
In order to do that, the U.K. would have to get what is known as an “adequacy decision” from the European Union, affirming that it offers privacy protections to individuals that are equivalent with those offered under EU law.
If the U.K. simply retained the GDPR, Foster says, the EU “would not be able to credibly argue that there weren’t substantially equivalent and adequate protections in the U.K.”
The U.K. could conceivably offer lower protection to its own citizens while still maintaining the appropriate protections to guard EU citizens’ data — easing the regulatory burden on companies that operate solely in the U.K. — but Foster sees that as an overly-complex approach that is unlikely.
The U.K. Information Commissioner’s Office (ICO), which is responsible for protecting information rights, has already said it will petition lawmakers to keep U.K. privacy protections at parity with the pending changes to EU law.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens,” the ICO said in a statement on Friday.
“We will be speaking to government to present our view that reform of the U.K. law remains necessary,” the agency said.