Last week I attended the ‘Future-Proofing Privacy’ event in Paris, hosted by the International Association of Privacy Professionals and Hogan Lovells. The issue of Brexit and its impact on cybersecurity came up very quickly although the main topic was supposed to be GDPR. As we have written before on this blog, the EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which means it will most likely be in place before the UK can decouple itself from the European Union.
It’s interesting to note that the UK’s Information Commissioner Christopher Graham had already made an updated statement on the issue at the launch of his annual report. He said his office would be discussing with the Government the implications of the Brexit referendum result and its impact on data protection reform in the UK.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.
Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
My sense at this point is that Britain will have no choice but to follow the European rules. When the UK exits the European Union, it will still need to prove adequacy for GDPR and the only way to do that is by implementing the regulations.
One of the take-away findings from the IAPP event was that all contracts governing the area of data protection will need to be much stronger. At the event, I picked up a hard-copy version of Hogan Lovells’ report, called Future-proofing privacy: a guide to preparing for the EU Data Protection Regulation, which is also available to download.
My eye was drawn to the section on international data transfers. The guide advises that the existing restrictions affecting international data transfers are set to continue under GDPR, and existing adequacy findings will continue to be valid in principle.
Transfers of personal data to a third country outside the European Economic Area are allowed only if “the Commission has established that the third country ensures an adequate level of data protection by reason of its domestic law or as a result of the international commitments it has entered into”.
GDPR will also only allow international data transfers outside the EEA if there are “adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights have been adduced, such as: where the transfer is based on the standard contractual clauses approved by the Commission
(“EU Model Clauses”) … where other transfer mechanisms recognised by European DPAs under the Data Protection Directive (such as Binding Corporate Rules (“BCRs”)) are in place. As the guide makes clear, some EU Member States have additional requirements that include prior notification to the local data protection authority.
Although the report has been overtaken by events – not only the Brexit vote but the demise of Safe Harbor, it’s still a valuable source of information. I still expect British entities to have to implement GDPR, so as far as data protection and security is concerned, the message is very much “keep calm and carry on”.