Last week's Brexit deal solidifies the terms under which the United Kingdom will leave the EU. But the issue of data transfers remains open, with great potential for confusion among privacy officers around the globe.
European privacy laws prohibit the transfer of personal information outside the Union without guarantees that the data will be held to the same standard of care. Now that the U.K. is leaving, a firm storing data in the U.K. will eventually be subject to the same burden as those in North America or Africa.
The Brexit agreement says for at least the next four months, British companies can continue as if the U.K. were still in the EU. If neither side objects, another two months could be added on. During that time frame, the EU will evaluate whether or not the U.K. provides an adequate level of regulatory privacy protection to continue on unimpeded.
Without that decision, "companies will need to have one of the safeguards in place," said Sarah Pearce, a partner in the privacy and cybersecurity practice at law firm Paul Hastings.
Those safeguards include standard contractual clauses for every company handling data or binding corporate rules (BCRs) across a corporation.
This may mean, said Pearce, that companies currently using the U.K.'s Information Commissioners Office as a governing body would need to update their BCR.
Similarly, said Scott Pink, special counsel at the firm O'Melveny, companies who based their data representative in the U.K. will need to move their representative to an EU country. The data representative, a local point for official contact, is a requirement to do business in the EU.
As U.K. and EU laws diverge, companies will need to keep track of differing privacy regimes, said Pink. "You now have to keep track of two things: what the U.K. is doing and what the EU is doing."
The U.K. and EU are expected to operate similar, compatible systems of privacy law, though the U.K. version of GDPR is settled. For U.S. firms, whose home nation already has different privacy laws state by state, a new U.K. regime might be one more for the pile. But that does not mean a new regulatory force can be added without incident.
"One thing companies should be looking at is increased enforcement," said Jung-Kyu McCann, general counsel for the cloud data management platform Druva. "Companies now face enforcement in the European Union and the U.K."
McCann also said as a practical matter, companies should probably prepare to answer questions about U.K. enforcement. That is true, she said, whether it is relevant to their company or not; customer worries often do not align with situational realities.
Druva is trying to prepare for the new legal realities post Brexit as the arrive, considering adding a U.K. data representative in addition to their EU representative to smooth matters in that market.
"Everyone is crossing their fingers and hoping the EU decision comes out in early 2021," she said.