By Christopher Folk
(Re-published from blog.cybersecuritylaw.us | Oct. 26, 2016) In a referendum on June 23, 2016, with voter turnout exceeding 70%, voters in the UK decided 52% to 48% to leave the European Union. The exit of the UK from the EU has been coined Brexit (“Britain + exit”). Under the EU, a member may exit subject to Article 50 of the Lisbon Treaty which gives the UK and the EU two years to negotiate the terms of the UK’s exit.[i]
Data Protection & Brexit
Throughout the near-term and until the UK effectuates its exit from the EU, the UK will continue to operate under existing EU laws and the new General Data Protection Regulation (“GPDR”) with mandatory compliance by June 2018 will shape the way that UK firms handle personal data.[ii] Consequently, it is anticipated that UK firms will be required to implement the GPDR policies concerning the protection of data for EU citizens. This is echoed by the new Information Commissioner for the UK, Elizabeth Denham. Denham openly advocates for the UK to move forward with the new GPDR regulations irrespective of the impending Brexit.[iii] Consequently, in many respects technology firms in the UK have some assurance that the UK will move forward with GPDR, however, there is still some risk.
Brexit follows closely on the heels of the European Court of Justice’s ruling that the EU/US safe-harbor agreement was invalid due to in large part to the lack of data privacy protections for EU citizens.[iv] This is interesting to note since Britain and Ireland were both largely supportive of the Safe Harbor agreement, whereas France and Germany had been pushing for more stringent privacy controls to safeguard their citizens’ data.[v] Consequently, it would seem that while the replacement for Safe Harbor is being negotiated, the UK will likely have a very keen interest in both the direction as well as the outcome, since it often finds itself closely aligned with its ally across the Atlantic.
General Data Protection Regulation
The GPDR changes a number of things, the highlights are as follows: Personal data is expanded to include IP addresses and online identifiers and companies must have explicit consent to use this data. Furthermore, citizens will be more readily able to ascertain which companies are storing their data, and how their data is being used. GPDR also introduces the concept of data portability which allows a person to migrate their data between and amongst companies. This also includes a duty for companies to advise when personal data is exposed (hacked) and upon request, personal data must be deleted. Along with duties comes liability and companies that suffer data breaches can face fines of up to €20 million.[vi]
EU-US Privacy Shield
Following the ruling against the existing safe harbor agreement, the US and EU put together what is being termed as the Privacy Shield. Under the Privacy Shield proposed framework, any US company that receives personal data from the EU must choose from one of the following cross-border transfer mechanisms: (1) typical contractual clauses; (2) binding corporate rules (e.g. intercompany/affiliate data transfers); or (3) the Privacy Shield framework.[vii]
Similarly, any EU company that transfers data to a US company must ensure that one of the three aforementioned schemes are utilized prior to a data transfer. Any transfers conducted outside these mechanisms would be deemed illegal. The Privacy Shield itself has several critical elements:
- Contractual requirements for onward transfers of personal data to third parties: companies that transfer personal data to any third party must have specific contract provisions mandating that safeguards continue to persist for personal data even after the transfer and that the transferor retains control over the third parties use of the personal data;
- Right to Modify Personal Data: the data owner has a persistent right to correct, amend, or delete inaccurate personal data or personal data that has been accessed in an unauthorized manner; further companies may not charge excessive fees when a user exercises their rights within this;
- Persistent Contractual Obligations: under this, any downstream party (e.g. recipient) of data must adhere to all of the principles and rights afforded a person with respect to their personal data;
- Opt-Out Rights: where personal data is either disclosed to a third party or when the data’s use is for a materially different purpose than the original agreement, the subject has an option to opt-out (to include modifying use for direct marketing purposes);
- Dispute Resolution: there are a very specific set of steps and avenues for redress that may be pursued when a citizen asserts that a violation of the Privacy Shield has occurred;
- Ongoing Compliance Monitoring: the US Dept. of Commerce is tasked with continuous monitoring to ensure that there is full compliance amongst US companies with the Privacy Shield provisions;
- Restrictions on Bulk Collection: this was one of the leading criticisms of the EU-US Safe Harbor agreement following the revelations by Edward Snowden. Within this, bulk collection is expressly forbidden except in cases where selective collection is impractical and even in those outliers, minimization procedures must be effected to ensure that access to data is for specific purposes only;
- Establishment of a Privacy Shield Ombudsman: this role will be filled by a person designated by the Secretary of State and will utilize additional State Department personnel as needed to ensure that this role is carried out in the absence of any influence or involvement by the Intelligence Community;
- Annual Periodic Reporting and Assessment: data protection authorities from both the EU and US Department of Commerce will conduct periodic, annual reviews of the Privacy Shield framework to ensure compliance and to assess and advise of changes that should be implemented [viii] …
To read the entire blog, click here.
Christopher Folk is a candidate (2017) for both a master’s in Forensic Science and Technology (Syracuse University) and a Juris Doctor degree (SU Law). Also a software engineer, Folk’s legal externship is with Chertoff Group company Delta Risk, where he focuses on legal and policy analysis pertaining to US and International cyber law.
[i] Brian Wheeler and Alex Hunt, Brexit: All you need to know about the UK leaving the EU, BBCNews, available at http://www.bbc.com/news/uk-politics-32810887 (Oct. 3, 2016) (The two-year time period begins once Article 50 is invoked and negotiations start).
[ii] Nick Heath, Brexit: 5 Ways the UK leaving the EU will affect tech firms, TechRepublic, available at http://www.techrepublic.com/article/brexit-5-ways-the-uk-leaving-the-eu-will-affect-tech-firmsect-tech-firms/ (Jun 24, 2016).
[iii] Adrian O’Connell, Information Commissioner calls for post-Brexit Britain to implement EU data rules, Irish Legal News, available at http://www.irishlegal.com/5462/information-commissioner-calls-for-post-brexit-britain-to-implement-eu-data-rules/ (Oct. 3, 2016).
[iv] Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, The New York Times, available at http://www.nytimes.com/2015/10/07/technology/european-union-us-data-collection.html?_r=0 (Oct. 6, 2015).
[vi] Joe Curtis, EU Passes GPDR laws that require companies to drastically improve their data privacy policies, ITPro, available at http://www.itpro.co.uk/data-protection/26365/your-business-must-prepare-today-for-2018-eu-data-protection-laws (Apr., 15, 2016).
[vii] Chanley T. Howell, et al., Safe Harbor Replacement EU-US Privacy Shield Approved, The National Law Review, available at http://www.natlawreview.com/article/safe-harbor-replacement-eu-us-privacy-shield-approved (Jul., 12, 2016).