With the UK leaving, what’s going to happen to Privacy Shield?
All ballots are in, and the world has changed: on June 24th, voters in the United Kingdom took part in what has been named Brexit, the referendum on the country’s membership in the European Union. With a total of 51.9% votes to leave, the fallout has been staggering: the pound dropping to it’s lowest point in over three decades, the resignation of political leaders including the British Prime Minister David Cameron, and a number of the Labour Party. Those that are left picking up the pieces find themselves trying to hold the country together, while deciding what to do now. Questions abound, including when the country will leave, what will it mean for UK relations with EU members, and even if it will be the entire “United Kingdom” that steps out: already calls for a second referendum are being heard from Scotland and Northern Ireland, both of which voted by a heavy majority to remain. For privacy professionals and data specialists however, another question is starting to rise up: if UK leaves the European Union, what will be the ramifications on the EU-US agreements of Privacy Shield, and the UK’s previous agreements as part of the EU, towards data sharing across borders.
First, a little background: Privacy Shield is the name of the current agreement being hammered out by the United States and the European Union with regards to the legal transfer of information across the transatlantic. Specifically, it deals with how companies based in the US deal with the data collected on European citizens, an everyday transaction for such international heavyweights as Facebook, Google, Microsoft and Apple. The framework, which is still being ratified, is hoped to replace the previous ‘Safe Harbour’ agreement, which was deemed invalid by the European Court of Justice in 2015. Privacy Shield includes strong obligations on how US organizations handle Europeans’ personal data, including safeguards, transparency commitments, and the protection of EU citizens’ rights with regards to their personal information. As of June 27th, 2016, the Shield Agreement has not gone into effect: details were outlined in February 29th by the US Department of Commerce, but the agreement will need to be approved by EU members before taking effect, an action Brexit may have helped. Until recently, the UK, as a part of the EU, would have seen its citizen’s personal data protected under the Privacy Shield when their information is in the hands of US business. Should the UK be removed from the EU however, Privacy Shield would no longer applicable to data that crosses between UK and US organizations; if data is to be shared, the UK and the US will need to come to their own agreement on the protection of UK citizen personally identifiable information in the hands of US business.
Also of concern are the EU agreements on the sharing of data between members. While the United Kingdom has it’s own internal privacy laws, including the Data Protection Act (1998) and Privacy and Electronic Communications Regulations (2003), any information collected from EU member countries has been subject to the European Data Protection Directive, and was expected to follow the upcoming General Data Protection Regulation. With the appearance of Brexit however, the UK, once divorced from the EU, will no longer be obligated to uphold either. A agreement will need to be hammered out: without one, EU countries such as Germany, France, Italy and Spain will not be able to trust the UK with access to data on their citizens, something many businesses rely on, particularly with the increasing use of Big Data and “smart” appliances. As an ICO Spokesperson said on June 24th in light of the referendum:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. "
Brexit may also have ramifications for data collected by Canadian companies. While Canadian businesses have had the luxury of not requiring their own Privacy Shield deal, this is because Canada’s own privacy laws have been recognized by the European Data Protection Directive as providing adequate protection. If the UK is no longer part of the Directive, a new agreement on data sharing between the UK and Canada may need to be developed. On the other hand, as part of the Commonwealth, Canada enjoys a longterm, historical relationship with the UK that will likely work in it’s favour: just as the EU recognized Canada law as providing adequate protection, odds are the UK will not impose heavier safeguards on Canadian companies accessing UK data. How Canadians will feel with sharing their personally identifiable information with the UK, particularly with the UK Data Retention and Investigatory Powers Act currently under revision, remains to be seen.
Ultimately, Privacy Shield and the European Data Protection Directive are just two agreements that the UK will need to address in the coming years. However, in today’s global economy, data sharing between borders has become the norm, and businesses that are unable to enter the international marketplace due to lack of data access are at a disadvantage. It is in the UK’s best interest to have data sharing and privacy agreements in place before leaving the EU; otherwise existing UK companies may be cut off from potential market, while UK citizens will be on thin ice accessing such staples of Facebook, Google, and Uber, because the owners are no longer permitted access to the the information they need for their services to work.