The people of the United Kingdom have spoken, and they want out of the European Union (EU). Yesterday, voters in the UK voted to leave the EU, the political-economic community and marketplace comprising most of Western Europe.
One key impact is that the UK will no longer be bound or benefit from EU regulations, treaties and trade agreements. As a result, the General Data Protection Regulation (GDPR), passed by the EU in May 2016, and the currently pending Privacy Shield* between the European Commission and U.S. Department of Commerce, will not apply to the UK once it has completed its exit from the EU. Instead, the current Data Protection Act of 1998 (the UKDPA), the UK’s national data protection law, shall remain its law of the land, rather than the GDPR, and participation in the Privacy Shield (once it is approved) will not extend to personal data transfers from the UK to the United States.
It remains to be seen whether the United States will seek a direct agreement with the United Kingdom to provide a mechanism similar to the EU-US Privacy Shield. Given the high level of investment by U.S. companies in the UK, it would appear likely that the U.S. and the UK government would at a minimum work out an agreement similar to the Privacy Shield to offer U.S. companies an additional way to import UK data beyond the current permitted data transfer mechanisms under the UKDPA, which can be difficult to administer for companies with multiple data flows to the United States.
In the wake of the exit vote, world markets have already suffered immediate and significant declines. Though closely intertwined, data privacy regulation is likely to be pushed from the forefront as the UK and remaining EU countries try to anticipate and adjust to the new economic reality. At least in the short term, we expect approval of the Privacy Shield may be delayed, and therefore the uncertainty caused by invalidation of the Safe Harbor Agreement will remain.
We will continue to monitor the impact of the UK’s exit on companies’ EU data privacy compliance obligations.
*Privacy Shield is the framework that is currently pending and is intended to replace the invalidated Safe Harbor Agreement, and which will provide an avenue for EU-to-U.S. data transfers once it is passed by the EU Commission.