Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Brexit and the GDPR - why leaving the EU will make life harder for enterprises

John E Dunn | June 15, 2016
In or out, the EU’s new privacy rules are the new reality.

This is the uncertainty a lot of Brexit debate has centred around but in this case it has a very technical edge to it. The UK negotiators trying to unpick the UK's legal involvement with the EU would have to put in place a transitional agreement while plotting a longer-term path to allow business to function in an age where data naturally moves across borders.

The most likely model would be for the UK to ask for the status enjoyed by non-EU countries such as Norway, Iceland and Switzerland under the European Economic Area (EEA), but according to Freij this isn't a perfect solution.

"Realistically, more privacy-aware countries, such as Germany, France and Spain, would be likely to put up a fight to challenge the UK's more relaxed approach to data protection legislation," she says.

"Should the UK not be regarded as having 'an adequate level of protection' then, legally, any transfers to the UK would have to be via EU model clauses, a very administrative-heavy task."

Brexit and the GDPR - why leaving the EU could make life harder for enterprises

Model clauses are currently used to allow the transfer of data to non-EU countries and are usually regulated by service providers (e.g. a cloud provider) which ensures compliance with EU data protection rules, including under the auspices of instruments such as the EU-US Privacy Shield. An alternative is Binding Corporate Rules (BCRs), basically the same instrument but set up by the enterprise itself. Multi-nationals will already use such instruments to move data across the globe but having to set up another complex layer of these where none previously existed more won't go down well.

"Even if these rules were put in place, there are questions over how long this would take," says Freij.

"With the UK data protection authority in the midst of managing these applications for many global conglomerates, any hold up in the process could prevent these companies from finding an alternate legal means of transferring personally identifiable information intra-group around the world."

Regardless of its size and relative importance, other experts are more pessimistic about the short-term implications of the UK suddenly being outside a bloc of 27 countries even if, as expected, the European Commission makes a positive adequacy finding regarding UK data protection standards.

"It will take at least two years for the UK to figure out how to leave. Data protection is one of thousands of things to be worked out," comments Marc Dautlich, a partner at legal firm Pinsent Masons who specialises in data protection.

"Think about how long the negotiations between the EU and the US have taken," he points out, referring to the Privacy Shield data transfer agreement between the EU and the US, meant to replace Safe Harbour that collapsed in October 2015 under legal challenge. "They have been locked in negotiations for 18 months before last October," he adds, gloomily.


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.