The British electorate has voted to leave the European Union, rejecting the pleas of all major political parties and most business, media, and legal experts across the political spectrum. Prime Minister Cameron announced that he will resign in October and that his successor will then work out the details of withdrawal from the EU.
What does this mean for US-based multinationals and other global companies that do business in Europe, often from a base in the UK? Specifically, what is the impact on handling information across the English Channel and across the Atlantic?
Short-Term Continuity, Long-Term Uncertainty
Nothing changes immediately. Actually, Parliament is not legally obliged to do anything as a result of the referendum, but the dominant Conservative Party has promised to act promptly on the vote and would probably find itself in an untenable position if it ignored the results of the referendum. The government may attempt to negotiate informally with Brussels, but ultimately withdrawal entails invoking Article 50 of the 2007 Treaty of Lisbon, which says simply that any EU member state may withdraw from the Union “in accordance with its own constitutional requirements.” That starts a process of negotiating the terms of departure with the remaining members for up to two years, a period that can be extended if the UK and the European Council (representing the governments of all the other 27 member states) unanimously agree to do so.
During that period of two years or more, the UK will try to negotiate agreements with the EU, to avoid tariffs and other restrictions on trade. The UK also will presumably apply for individual membership in the World Trade Organization (its membership is currently only through the EU), a process that may take some time. It will have to negotiate the status of British citizens living and working in EU countries, and that of EU citizens living and working in the UK (meanwhile, many thousands may pour into the UK while they can still do so freely, and managers will frantically try to move people in and out of positions). The UK will have to negotiate to continue mutual recognition and cooperation in the fields of income tax, value-added tax, pensions, employment benefits, corporate accounting, public company reporting to shareholders, financial institution oversight, and other areas that are currently harmonized under EU legal measures. There are potential headaches here for CFOs, human resources managers, and compliance officers in regional offices.
Internally, Parliament will have to repeal the European Communities Act of 1972. But that is only the start of its work. Over the past four decades, many laws and statutory instruments have been enacted to implement EU directives and other EU legislative measures, including, for example, UK laws and regulations transposing the various EU company law directives and labor directives, the Data Protection Act 1998, the Privacy and Electronic Communications Regulations (PECR), and measures implementing the EU Electronic Commerce Directive, the Audiovisual Media Services Directive, and the Unfair Commercial Practices Directive. All of the British legal instruments remain in place unless and until they are amended or repealed, but now they may all be subject to review. However, there are also many EU regulations that apply directly within the EU, without being enacted as national laws or regulations. Parliament would have to enact replacement legislation to continue any of these measures, in areas as varied as consumer product safety, securities regulation, competition law (antitrust), and pharmaceutical standards. Another consequence of Brexit is that UK laws presumably will be interpreted by the courts with reference to British judicial precedents and not rulings of the Court of Justice of the European Union (CJEU).
The new EU General Data Protection Regulation (GDPR) is such a regulation with direct effect, and now it may not take effect in the UK in May 2018 as planned unless Parliament chooses to amend UK data protection law accordingly or the withdrawal process takes much longer than anticipated. Thus, multinationals operating in Europe have been planning toward compliance with the GDPR, but they must now consider the possibility that it will not have an analogue in the UK – or only briefly, if the UK’s departure takes effect after May 2018.
How closely Parliament hews to the EU directives and regulations depends on the outcome of UK-EU negotiations and the model the UK ultimately adopts for its relationship with the EU. Under the “Norwegian model,” the UK would seek to join the European Economic Area (EEA) and gain unfettered access to the EU’s single market in exchange for adopting the vast majority of EU laws and regulations, paying a tax to the EU, and accepting the free movement of goods, services, capital, and workers into the UK (all without having any vote on EU legislation). Since those commitments seem to be precisely the sore points for the majority of UK citizens who voted for Brexit, this model seems an unlikely choice in the current political environment. The “Swiss model” (which involves joining EFTA – the more loosely connected European Free Trade Association) provides more limited access to the single market, with much more limited commitments on migration and intergovernmental cooperation but still a great deal of harmonization in laws and standards. It has taken many years to evolve, and it is probably not easy to adapt to the UK. Alternatively, there is the “WTO model”: the UK would become just another WTO member, like the US or China, and rely on its general trade rules to avoid discriminatory tariffs. Finally, there is the “Canadian model”, under which the UK would try to negotiate a favorable, unique bilateral trade agreement, as Canada did earlier this year, without belonging to any of the European trade associations. At this moment, the shape of the future UK-EU relationship is an unknown, but European leaders afraid that other EU countries may be tempted to bolt from the EU are unlikely to give the UK a particularly sweet deal.
Impact on Data Protection and Data Processing
One way or another, Britain needs to continue to trade with the EU and EEA countries, and companies must continue to move information to do that. For the foreseeable future, the EU will presumably accept the UK Data Protection Act and PECR as providing an “adequate” level of privacy protection, because they comport with current EU data protection law. Will that remain true after May 2018 when the GDPR applies in the EU and not in the UK? Probably, at least for a while, considering that the EU will not likely revoke adequacy decisions for Canada, Switzerland, Israel, Argentina, and other countries with laws similar to the 1995 EU Data Protection Directive, although it may encourage them to update their laws along the lines of the GDPR. Thus, personal information should continue to move across the Channel despite Brexit.
Companies operating solely or primarily in the UK may even consider it an advantage not to have to deal with some of the new features of the GDPR, such as data breach notice requirements, more extensive requirements for written documentation on privacy and security procedures, and the ill-defined new rights to be “forgotten” or of “data portability.” On the other hand, the GDPR would have eliminated the registration requirement that will continue under the Data Protection Act 1998 unless Parliament chooses to drop that requirement by amending the Act.
But foreign companies operating in Europe will not have the advantage of using the UK data protection authority, the Information Commissioner’s Office or ICO, as the designated one-stop-shop for compliance issues in Europe. This is one of the advantages offered by the GDPR, allowing companies functioning in many countries to centralize their data privacy compliance interface in the EU country where their regional headquarters or principal operations are located. For many US-based multinationals, that is the UK, a relatively business-friendly, English-speaking environment. But with the UK outside the EU / EEA, companies will not be able to look to the ICO as their regulatory interlocutor for Europe, unless the UK negotiates an agreement with the EU that effectively brings the UK under the provisions of the GDPR.
For data transfers to the US and other jurisdictions without similar data privacy laws, it is uncertain how companies operating from the UK will be able to take advantage of the “Privacy Shield” that is currently being negotiated between the EU and the US government. And it needs to be made clear that companies in the UK can continue to employ the EU-approved standard contract clauses for international data transfers. Switzerland and Israel, for example, have expressly authorized the use of EU-approved mechanisms for cross-border data transfers. But companies using the standard contract clauses across Europe will presumably not be able to use English law as the norm, since they generally would have to select the law of a member state.
Following the UK’s departure from the EU, how should multinationals structure their European data processing and privacy compliance, to the extent they have choices? Having worked in many European countries, I typically recommend that US-based companies look to the EU country where they currently have their most substantial operations. Examine first whether it is feasible to establish a suitable principal relationship with the data protection authority in that country, to serve as the lead data privacy regulator in Europe, and whether that country works well for the choice of law in the standard contract clauses in data transfer agreements. Where a company has multiple options, or has not yet located its European data center or principal operations, I recommend looking at Ireland, an English-speaking jurisdiction with a pragmatic data protection authority and a relatively favorable tax and labor environment. The Netherlands and Belgium also offer notable advantages. Within Germany, data protection in the private sector is supervised at the state level, not by the federal commission, and the state commissions vary considerably in attitude and interpretation, so location matters even with the greater degree of legal standardization promised by the GDPR.
It should be noted that one consequence of Brexit is renewed debate in Scotland and Northern Ireland over the possibility of seceding from the UK and remaining separately in the EU. In that event, of course, the GDPR would apply in those jurisdictions. This issue may not be possible to resolve within the next two years, however, so the likeliest scenario is that the Data Protection Act 1998 will continue to apply for the time being, as in the rest of the UK. If Scotland or Northern Ireland go their own way, they could offer many of the same advantages as Ireland in attracting US-based companies looking to establish facilities within the EU.
The timing for Britain’s departure could be awkward. The GDPR will be enforced across the EU effective May 25, 2018, but it is likely that the UK’s withdrawal from the EU will not be finalized until some time in 2019, as Conservative Party leaders are currently predicting. This means that the GDPR should technically replace the Data Protection Act 1998 in May 2018, but would British courts enforce it, and would the European Commission launch a CJEU proceeding against the UK if it did not apply the GDPR for a few months before the withdrawal became final? Alternatively, would Parliament take the initiative to update the Data Protection Act in line with the GDPR? This is but one example of the legal limbo that will affect many pieces of legislation during this period of transition, which will almost certainly be messier than anticipated. It also suggests that Parliament must act quickly if it wants to reestablish confidence in the UK as a reliable location for regional data centers and headquarters operations. Companies with operations across Europe and between Europe and the US will be seeking compliance solutions that are more stable and consistent than Britain seems to offer at present.