News & Events

Brexit and Data Protection - Q&A

Submitted By Firm: Addleshaw Goddard

Contact(s): Michael Leftley, Sarah Harrop

Author(s):

Toni Vitale

Date Published: 8/18/2016

Article Type:

Share This:

What happens now?


The UK decision to leave the EU will not affect existing data protection and privacy laws in the UK. These laws (the UK Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR)) protect people's personal data as well as ensuring that organisations have clear rules and a legal basis when collecting and using such data.

The DPA is the primary source of data protection legislation in the UK. It implements the Data Protection Directive (Directive 95/46/EC) and addresses such items as the definitions of personal data, sensitive personal data, the processing of data, notification and registration requirements, consent, rights of data subjects, collection of data, direct marketing, data transfers and sanctions for non-compliance. This will be the case until the DPA is amended or repealed by Parliament and all UK businesses should continue to comply with the DPA. Previous judgements of both the English and the European courts will continue to be binding in relation to the interpretation of the DPA, at least until the UK leaves the EU (at which point the status of EU jurisprudence will have to be considered).

On May 4th 2016, the EU approved an update to the existing 1995 Data Protection Directive (the EU law from which the UK Act is derived) with what is known as the General Data Protection Regulation ( GDPR). This new law, due to directly apply across the EU from 25 May 2018, strengthens user control over personal information as well as streamlining the rules, aiming to make it easier to do business across EU markets. It contains new rights and obligations for data subjects and data processors and includes tough new sanctions and fines.

Effect of the EU Referendum vote on the GDPR

The territorial application of the GDPR means that organisations collecting and using personal information from citizens in the EU will need to comply with it regardless of where they are located. The EU Referendum result to leave the EU will not affect this.

The ICO has confirmed that in order for data to be transferred between the UK and the EU, the GDPR will have to be adopted into UK law:

"If the UK wants to trade with the single market on equal terms we would have to prove 'adequacy' - in other words, UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens."

The UK Government will need to decide which EU Directives and Regulations it will choose to adopt or keep as part of UK legislation (including the GDPR). It is possible that the work on this list will not start until later this year when negotiations with the EU to trigger the UK's exit under Article 50 of the Lisbon Treaty are expected to commence. As the GDPR is a regulation rather than a directive, the UK would need to amend current UK legislation for the GDPR to remain in force after the UK exits the EU. Most political commentators suggest the earliest exit date to be January 2019, although it may well be later. This means that the GDPR will apply in the UK from 25th May 2018 until the final exit date unless new legislation is passed in the UK.

Many companies will, therefore, be required to comply with the provisions of the GDPR in order to continue trading in the EU. This, coupled with the ICO's belief, made clear in its statement, that the DPA requires reform, may lead the UK Government to take the simplest path and simply transpose the GDPR into UK law. It may also be a condition of the UK's continued participation in the single market that this regulation, amongst others is fully adopted.

What about the 'cookie law'?

An update to PECR (known as the 'cookie law') in 2011 implemented the revised EU ePrivacy Directive into UK law. This remains in place. Article 5.3 of the Directive replaced the 'notice and opt out' regime for the likes of cookies and other technologies with one based upon consent for, "the storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user... having been provided with clear and comprehensive information ".

This law is currently under review by the European Commission (Commission) to ensure it is aligned with the GDPR (a public consultation on its revision ends in early July 2016). A new version may arise over the next year or so but it is unlikely that the UK will apply it. Again, it remains to be seen what happens in the UK but the ICO (as well as organisations and citizens) will want to ensure UK law is in line with other EU countries and that there is a balanced and pragmatic approach. Arguably this is now the most important data privacy policy issue to watch.

What about transfers of personal data to other countries?

The DPA (and its counterparts in other European Member States) prohibits transfers of personal data to countries outside the European Economic Area (EEA), unless they have been recognised by the European Commission as providing an "adequate form of protection" for personal data.

It is unclear whether the UK would become a member of the EEA if it left the EU. If it decides to choose to sit outside the EEA, it would no longer be an automatically "safe" destination for EU personal data. It would have to be approved as providing adequate protection for personal data by the Commission. Until that happened, companies operating in the EU would need to revise the methods they use to transfer data to the UK (such as implementing Model Clauses or Binding Corporate Rules). This could pose serious issues for the large number of businesses which currently process personal data of EU citizens in the UK. These approved mechanisms for lawfully transferring data add an additional administrative layer and vary between jurisdictions. In some Member States, such as Spain, organisations would also have to obtain prior authorisation from the local supervisory authority before making any such transfer.

Whilst one might reasonably expect that the UK would be approved as providing an adequate level of protection given that the DPA 1998 is based on the Directive, it is not certain. The Commission has reportedly written to the UK Government in the past criticising it for not implementing the Directive fully and international data transfers are a politically sensitive issue within the EU in the post-Snowden/ Safe Harbour era. It is possible that the activities of GCHQ and other security services in the UK might lead the EU Commission to require additional safeguards to protect the rights of UK citizens against intrusive and mass surveillance to be implemented before an "adequacy" ruling would be given.

What about the Privacy Shield?

The EU-US Privacy Shield replaces the EU-US Safe Harbour scheme, which was ruled invalid in October 2015 by the Court of Justice of the European Union. On 24th June 2016, agreement was reached between the US and the EU to improve the new Privacy Shield following criticism from MEPs, the European Data Protection Supervisor, and the Article 29 Working Party. The main concern was the need to provide, "adequate protection against indiscriminate surveillance" and "obligations on oversight, transparency, redress and data protection rights".

The Privacy Shield's main protections include:

  • The US will create an ombudsman to handle complaints from EU citizens about the Americans spying on their data;
  • The US Office of the Director of National Intelligence will give written commitments that Europeans' personal data will not be subject to mass surveillance; and
  • The EU and US will conduct an annual review to check the new system is working properly Some of the additional changes agreed on 24th June include:
  • A written commitment from the White House, stating that bulk collection of data sent from the EU to the US can only occur under specific preconditions and must be "as targeted and focused" as possible;
  • More explicit data retention rules: companies now have to delete data that no longer serves the purpose for which it was collected; and
  • A specification that the ombudsman will be independent from national security services.

A spokesman for the European Commission said, "This new framework for transatlantic data flows protects the fundamental rights of Europeans and ensures legal certainty for businesses."

The EU is hoping for the Privacy Shield to be operational from July of this year.

Whatever happens, eventually the UK will probably need to have its own 'adequacy' arrangements for data transfers to the US and other countries and this will no doubt shine a light on its own security surveillance operations, particularly with current proposals to extend the UK's 'investigatory powers'. It may be the case that the UK will require its own Privacy Shield even if it adopts the GDPR.

Conclusion

As far as data protection is concerned, the UK's decision to leave the EU should not be seen as an immediate cause for panic. Current laws continue to apply and depending on the exact route chosen for "Brexit", existing and forthcoming directives and regulations such as the GDPR may apply too. Our advice to clients who are preparing or commencing their GDPR compliance programs is that they should continue with the same pace as before. Steps such as carrying out a data audit, creating a data flow map showing where data is and who accesses it, and ensuring appropriate contractual provisions are in place with data processors are all good practice initiatives which will reduce risk and ensure compliance with existing laws.

Download the PDF version of the full Q&A

Find a Member

View or print a complete ELA member list »

Client Successes

Altra Industrial Motion Inc.

Altra Industrial Motion Inc. has multiple locations in the U.S., as well as Central America, Europe, and Asia. The Employment Law Alliance has proved to be a great asset in assisting us in dealing with employment issues and matters in such diverse venues as Mexico, Australia, and Spain. We have obtained excellent results using the ELA network for matters ranging from a multi-state review of employment policies to assisting with individual employment issues in a variety of foreign jurisdictions.

In one instance, we were faced with an employment dispute with a former associate in Mexico that had the potential for substantial economic exposure. The matter had been pending for over a year, and we were not confident in the employment advice we had been receiving. I obtained a referral to the ELA counsel in Mexico, who was able to obtain a favorable resolution of the dispute in only a few days. Based on our experiences with the ELA, we would not hesitate to use its many resources for future employment law needs.

American University in Bulgaria

In my career I have been a practicing attorney, counsel to the Governor of Maine, and CEO of a major public utility. I have worked with many lawyers in many settings. When the American University in Bulgaria needed help with employment litigation in federal court in Syracuse, New York, we turned to Pierce Atwood, the ELA member we knew and trusted in Maine, for a referral. We were extremely pleased with the responsiveness and high quality of service we received from Bond Schoeneck & King, the ELA's firm in upstate New York. I would not hesitate to recommend the ELA to any employer.

David T. Flanagan
Member of Board of Trustees 

Arcata Associates

I really enjoyed the Conducting an Effective Internal Investigation in the United States webinar.  We are in the midst of a rather delicate employee relations issue in California right now and the discussion helped me tremendously.  It also reinforced things that you tend to forget if you don't do these investigations frequently.  So, many, many thanks to the Employment Law Alliance for putting that webinar together.  It was extremely beneficial.

Lynn Clayton
Vice President, Human Resources

Barrett Business Services, Inc.

I recently participated in the ELA-sponsored webinar on the Employee Free Choice Act.  I was most impressed with that presentation.  It was extremely helpful and very worthwhile.  I have also been utilizing the ELA's online Global Employer Handbook.  This compliance tool is absolutely terrific. 

I am familiar with several other products that purport to provide up-to- date employment law information and I believe that this resource is superior to other similar compliance manuals.  I am delighted that the ELA provides this free to its members' clients.

Boyd Coffee Company

Employment Law Alliance (ELA) has provided Boyd Coffee Company with a highly valued connection to resources, important information and learning. With complex operations and employees working in approximately 20 states, we are continually striving to keep abreast of specific state laws, many of which vary from state to state. We have participated in the ELA web seminars and have found the content very useful. We appreciate the ease, cost effectiveness and quality of the content and presenters offered by these web seminars.  The Global Employer Handbook has provided our company with a very helpful overview of legal issues in the various states in which we operate, and the network of attorneys has helped us manage issues that have arisen in states other than where our Roastery and corporate headquarters are located in Portland, Oregon.

Capgemini Outsourcing Services GmbH

As an international operating outsourcing and consulting supplier Capgemini has used firms of the Employment Law Alliance in Central Europe. We were always highly satisfied with the quality of employment law advice and the responsiveness. I can really recommend the ELA lawyers.

Hirschfeld Kraemer

Stephen HirschfeldAs an employment lawyer based in San Francisco, I work closely with high tech clients with operations around the globe. Last year, one of my clients needed to implement a workforce reduction in a dozen countries simultaneously. And they gave me 48 hours to accomplish this. I don't know how I could have pulled this off without the resources of the ELA. I don't know of any single law firm that could have made this happen. My client received all of the help they needed in a timely fashion and on a cost effective basis.

Stephen J. Hirschfeld
Partner 

Hollywood Entertainment Corporation

As the Vice President for Litigation & Associate General Counsel for my company, I need to ensure that we have a team of top-notch employment lawyers in place in every jurisdiction where we do business. And I want to be confident that those lawyers know our business so they don't have to reinvent the wheel when a new legal matter arises. With more than 3400 stores and 35,000 employees operating in all 50 U.S. states and across Canada, we rely on the ELA to partner with us to help accomplish our objectives. I have been delighted with the consistent high quality of the work performed by ELA lawyers. I encourage other in-house counsel to use their services, as well.

Ingram Micro

Ingram Micro is the world's largest technology distributor, providing sales, marketing, and logistics services for the IT industry around the globe. With over 13,000 employees working throughout the U.S. and in 35 international countries, we need employment lawyers who we can count on to ensure global legal compliance. Our experience with many multi-state and multi-national law firms is that their employment law services are not always a high priority for them, and many do not have experts in many of their offices. The ELA has assembled an excellent team of highly skilled employment lawyers, wherever and whenever I need them, and they have proven to be an invaluable resource to our company.

Konami Gaming

Our company, Konami Gaming, Inc., is growing rapidly in a very diverse and highly regulated industry. We are aggressively entering new markets outside the domestic U.S., including Canada and South America. I have had the recent opportunity to utilize the services provided by the ELA. The legal advice was both responsive and professional. Most of all, the entire process was seamless since our Nevada attorney coordinated the services and legal advice requested. I look forward to working with the ELA in the future, as it serves as a great resource to the legal community.

Jennifer Martinez
Vice President, Human Resources

Nikkiso Cryo, Inc.

Until recently, I was unaware of the ELA's existence. We have subsidiaries and affiliates throughout the United States, as well as in Asia, the Middle East and Europe. When a recent legal issue arose in Texas, our long-time Nevada counsel, who is a member of the ELA, suggested that this matter be handled by his ELA colleague in Dallas. We are very pleased with the quality and timeliness of services provided by that firm, and we are excited to now have the ELA as an important asset to help us address employment law issues worldwide.

Palm, Inc.

The ELA network has been immensely important to our company in helping us address an array of human resources challenges around the world. I strongly encourage H.R. executives who have employees located in many different jurisdictions to utilize the ELA's unparalleled expertise and geographic coverage.

Stacy Murphy
Former Senior Director of Human Resources

Rich Products

As the General Counsel for a company with 6,500 employees operating across the U.S. and in eight countries, it is critical that I have top quality lawyers on the ground where we do business. The ELA is an indispensable resource. It has taken the guesswork out of finding the best employment counsel wherever we have a problem.

Jill K. Bond
Senior Vice President/General Counsel, Shared Services and Benefits

Ricoh Americas Corporation

We have direct sales and service offices all over the U.S., but have not necessarily had the need in the past for assistance with legal work in every state where we have a business presence. From time to time, we suddenly find ourselves facing a legal issue in a state where we have no outside counsel relationship. It has been a real benefit to know that the ELA has assembled such an impressive team of experts throughout the U.S. and overseas.

A few years ago, we faced a very tough discrimination lawsuit in Mississippi. We had never had to retain a lawyer there before. I was absolutely delighted with the Mississippi ELA firm. We received an excellent result. They will no doubt handle all of our employment law matters in Mississippi in the future. I have also obtained the assistance of several other ELA firms around the U.S. and have received the same outstanding service. The ELA is a tremendous resource for our company.

Roberts-Gordon LLC

Our affiliated companies have used the Employment Law Alliance in connection with numerous acquisitions, and have always been extremely pleased with our ability to obtain the highest quality legal advice on due diligence issues from jurisdiction to jurisdiction. We have found the Employment Law Alliance firms to be not only first rate with respect to their legal advice but also responsive and timely in assisting us with federal and state law issues critical to our due diligence efforts. We consider the Employment Law Alliance to be an important part of our team.

Rockwell Collins, Inc.

We have partnered with many ELA firms on the development and execution of case management strategies with very positive results. We have been very pleased with the legal advice and counsel provided by the law firms we have utilized who are affiliated with the Employment Law Alliance. The ELA firms we have worked with are customer focused, responsive, and thorough in their approach to handling labor and employment law matters.

Elizabeth Daly
Assistant General Counsel

Sanmina-SCI

Sanmina-SCI has facilities strategically located in key regions throughout the world. Our customers expect that we will provide them with the highest quality and most sophisticated services in the marketplace. We have that same expectation for the lawyers with whom we do business. With operations in 17 countries, we need to be certain that we have a team of lawyers working together to address our employment law needs worldwide. The ELA has delivered exactly what it promised-- seamless and consistent high quality services delivered in each locale around the globe. It has quickly become a key asset for our human resources department.

Starwood

We own, manage, and franchise hotels throughout the U.S. and in more than 90 countries. With more than 145,000 employees worldwide, ensuring that we comply with the complex web of local labor and employment laws in every one of these jurisdictions is a daunting task. The Employment Law Alliance has served as an important resource for us and we have benefited greatly from its expertise and long reach. When a legal dispute or issue has arisen in some far-flung place, Employment Law Alliance lawyers have always provided responsive, practical, and cost-effective assistance.

Wilmington Trust Corporation

Wilmington Trust has used the ELA to locate firms in California, Washington State, Georgia, and Europe. Our experience with the ELA lawyers with whom we have worked has always been one of complete satisfaction and prompt, practical advice.

Michael A. DiGregorio
General Counsel