Brexit will happen. The EU GDPR will happen. You can't avoid either
Comply or not, in a few years you'll be able to choose
Article 50, the process for Britain’s formal withdrawal from the European Union, is looming. Upon the conclusion of Article 50, data centres resident in Britain will no longer be subject to EU data protection rules.
Today, UK data centres are bound by the EU Data Protection Directive (95/46/C), which was in turn based on the 1980 OECD “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”.
95/46/C was a directive, meaning that it had to be enacted through each member state’s own laws. In the UK the transposing statute is the Data Protection Act 1998.
The act contains eight principles data processors must abide by when it comes to personal data – these include provisions that data shall: be processed fairly and lawfully; be obtained only for specific purposes; be accurate and kept up to date; and that anyone holding the data must take measures to protect it with data not transferred to a country outside the EU, unless that country also has rules to protect it adequately.
Whether the UK continues to abide by these rules is an important question post-Brexit, and it’s a question with an added dimension because fresh EU data legislation is due before the maximum timespan, after which the Article 50 process would end.
Article 50 is a two-year procedure, so nothing will change during that time. The government isn’t expected to trigger Article 50 until “sometime” in 2017; speculation ranges around the early half of the year, based on a number of converging factors, meaning the UK would still be in the EU until 2019 at the earliest.
That is significant, because it means that – at least for a short time – the UK will be subject to the General Data Protection Regulation (GDPR), which comes into force in May 2018.
Bypassing Parliament, temporarily
Unlike EU directives, regulations like the GDPR don’t have to be implemented in local law. They are effective immediately, meaning data centres in the UK are going to have to abide by those rules during the pre-Article 50 era. That is important because the GDPR sets a very high bar on data protection and introduces some significant changes to UK law.
One of the biggest areas of focus is on data governance. Privacy impact assessments will be mandatory for high-risk processing activities, including large-scale processing of data or profiling activities.
Among the highlights, companies must demonstrate “privacy by design”, showing that they have pseudo-anonymised the data that they’re storing and built privacy protection into their staff policies. When choosing third-party data processors, companies responsible for customer data must regularly assess their procurement processes and may have to abide by EU-approved boilerplate clauses in service provider contracts.
Under the new regulations, companies must provide more information to people about what data they’re processing and how. This includes contact details for the data protection officer who is responsible for looking after that data, and details of any data transfers outside the EU.
There are new limitations on the use of consent, meaning that the owner of the data must grant separate consent for different processing activities and can withdraw them at any time.
People will also have the right to have their data erased under the GDPR, and if a company has already made that data public, then they have to pass that request along to others. Lawyers expect this to be a particularly difficult issue for many companies.
In the event of a data breach, a notification requirement will apply across the board and the maximum penalties go up: the ICO can currently levy fines of up to £500,000 but the GDPR ups that to €20m, or four per cent of total annual worldwide turnover.
Right up to the minute
There are some interesting advanced technical issues in the GDPR, too. There is a restriction on taking decisions using automated profiling. Individuals have a right not to have decisions made about them without human intervention, such as credit approvals and e-recruiting. It’s unclear whether it simply can’t happen or whether they must actively object to it, though.
Special categories of personal data are specifically defined, including biometric and genetic data, and the GDPR makes it possible for EU member states to introduce new conditions regarding their handling. This will make it important for UK organisations to consider what other member states are doing in this area when exchanging data with them. Companies should also make the data retention period explicit.
Companies must also confirm, on request, whether they process an individual’s personal data and provide a copy of it, along with any supporting materials, as happens at present. People can also make companies port their data to them or another provider in machine-readable format, and that must be done within one month.
Don't be alarmed or anything, but experts say you're going to struggle
Some firms will have their work cut out to keep their noses clean, according to Gavin Siggers, director of professional services at data storage firm Iron Mountain.
“Simply knowing what data they hold, why they hold it, where it’s kept and how long it should be kept for, often presents obstacles that many organisations struggle with,” he told The Register. “But understanding this will significantly help in reducing their risk exposure.”
What happens if the UK exits the EU after the GDPR takes effect? By this point, companies will already have spent the time and money to accommodate the new regulations. Implementing the GDPR is a process that they should be starting now. In its implementation guidelines, the ICO warns that in a large or complex business this could have “significant budgetary, IT, personnel, governance and communications implications.”
The question is what position all this effort will leave them in afterwards, and on this there are two opposing viewpoints.
On the one hand, Brexit could change the UK’s stance on GDPR, eliminating it altogether, according to Ashley Winton, a partner in the corporate department at legal firm Paul Hastings and an expert on cyberlaw: “It’s an absolute compliance hurdle for all cloud businesses – both those in the EU and the ones in the UK, and the ones in neither the UK or the EU but which target UK or EU customers,” he said. “That will disappear on Brexit.”
If that happens, then UK firms must look at two separate issues: firstly, transferring data to other countries outside the EU, such as the US, and then transferring data with countries inside the EU.
“My opinion is that UK businesses will continue to enjoy a good latitude and freedom to transfer data to the US after Brexit,” Winton said, arguing that the UK ICO has always been accommodating when it comes to data transfer issues.
Current UK law allows for self-determination of adequacy when transferring data to non-EU countries. Companies can, in effect, decide for themselves whether it’s OK to transfer data to another jurisdiction. The UK is the only country in the EU to have this provision. Firms can also use binding corporate rules or model contracts to make transfers legally adequate, according to ICO rules.
“The area that they need to keep their eye on is the transfer of data from the remainder of the EU to the UK,” Winton added. The EU and US has just been through its own debate on data transfer and sovereignty, resulting in the Privacy Shield legislation. “We might start very similar debates between the UK and the rest of the EU.”
Uncertainty is the problem here. Because we don’t know what a post-Brexit UK-EU relationship might look like, it’s hard to know what the data transfer rules will be. We could even see some kind of Privacy Shield agreement between the UK and the EU, Winton suggested.
Ross Woodham, director of legal affairs at hosting firm Cogeco Peer 1, said that the UK’s Information Commissioner would need to cut some kind of standardised deal with the rest of the EU.
“If you’re the UK and you’re in receipt of this data you’ll have 29 data protection authorities all making determinations of whether or not the transfer coming to you is legal,” he said. “As a UK company, you’re going to have to work through that complication, and that’s where I think the Information Commissioner’s Office has a significant role to play.”
The burden is on the ICO to create a post-Brexit finding of adequacy that spans its partners within the EU, he suggests. A finding of adequacy is a legal instrument, established under the old data protection rules, that enables data to be transferred between jurisdictions without the use of model contracts. The EU has adequacy findings with countries including Canada, for example.
The other point of view sees the GDPR as remaining relevant to UK businesses, even if it no longer officially applies post-Brexit. You’d hope that some kind of pragmatism would seep through and that the UK ends up mirroring regulations in the EU.
That’s what Siggers is hoping for, anyway. The UK is still a strong trading partner with the EU, he pointed out. “It’s unlikely that it would make sense for the UK to step away from legislation that affords the levels of protection offered elsewhere in Europe,” he said. “Would the UK really gain anything from relaxing its data protection regime?”
Frank Jennings, a partner at Wallace LLP, argues that those businesses who have complied with GDPR are likely to continue along as usual even after Brexit: “Even if the UK adopts a lower standard on data protection transfers from non-EU data, compliance officers are likely to adhere to EU standards anyway as a matter of business policy, because they don’t want to have two compliance standards to adhere to,” he says.
There could be some patchy implementation, though. Most of the larger businesses that Jennings has spoken to are already well along the road to GDPR compliance, but it’s the SMBs that face challenges.
Choose whether to comply – and choose wisely
“Those businesses who have yet to prepare for GDPR and are hoping that Brexit will mean they don’t have to are the ones likely to be caught out,” he said.
All of this comes in along with the shadow of the Investigatory Powers Bill, the Snooper’s Charter, originally proposed by the PM when she was Home Secretary. This legislation, currently at its committee stage in the House of Lords, has privacy advocates wringing their hands and could potentially undermine efforts to craft a privacy agreement with the EU.
In particular, they’re worried about the use of bulk interception warrants for mass surveillance.
Vodafone, for example, has warned that the Bill could “significantly undermine trust” in British telecoms groups and frets that UK security forces could tap its networks.
Companies hosting data centres in the UK will be dragged into GDPR compliance whether they like it or not. You might argue that this cost will be needless if Brexit happens and the EU regulation ceases to apply here.
In practice, should that happen, firms that have already done the work to comply with the EU are unlikely to undo it, as compliance will make it easier for them to serve EU clients. Those firms that fail to meet GDPR standards may simply find they their ability to work with EU clients profoundly challenged. ®