While Britain’s vote to leave the European Union (EU) shocked the world and rocked financial markets, the move has yet another set of possible repercussions in its potential to increase the complexity of the international rules governing privacy and international data transfer. As a result, the “Brexit” may change the strategy for U.S. ad tech companies seeking to enter the European market.
Before June’s Brexit vote, the EU had finalized a General Data Protection Regulation (GDPR), scheduled to take effect in May 2018, that will require significant compliance efforts by marketers, such as enhanced data subject consent standards, data protection officer requirements, data portability requirements and an expanded reach. The United Kingdom’s data protection commissioner recently indicated that while the Information Commissioner’s Office still plans to align with the EU’s GDPR, the practical details in its implementation in the United Kingdom could change. Prior to Brexit this was the only system applicable to all EU countries, and if the United Kingdom is not part of the EU, then upcoming EU reforms to the data protection law would not directly apply to the United Kingdom.
Thus if the United Kingdom wants to trade with the EU on equal terms, it will have to prove “adequacy” – that is, that its data protection standards are equivalent to the GDPR’s framework starting in 2018. While any final Brexit would likely occur after implementation of the GDPR, and “equivalent” does not mean “the same,” businesses and services operating in the United Kingdom and the EU would have to comply with both sets of standards.
The Privacy Shield
Following Brexit, there also is a question as to the effectiveness of the Privacy Shield, which recently was adopted by the United States and the EU to protect the transfer of personal data to the United States from the EU. It is not clear if a post-Brexit United Kingdom will adopt the Privacy Shield or something similar. As with the GDPR, if the United Kingdom modifies the Privacy Shield, it would require marketers to meet two sets of standards – undoubtedly similar, but also not the same.
In addition, if the United Kingdom does modify the Privacy Shield, then it could face the same challenge that led to the U.S.-EU Safe Harbor being struck down. If that were to happen, there would be a period during which data transfers from the United Kingdom to the United States could be in jeopardy.
Mind the Divide
In the short term, there may not be many (or any) changes to privacy and data practices in the United Kingdom following Brexit. However, as the process proceeds and the EU further develops and implements new standards, it is possible that a divide will develop and expand between regulatory schemes in the United Kingdom and the rest of the EU.
Companies operating in European jurisdictions should continue to monitor developments and be prepared for a more complicated privacy and data security compliance landscape to develop in Europe.
Gary A. Kibel is a partner in the Digital Media, Technology & Privacy Practice Group at Davis & Gilbert LLP. He may be reached at 212.468.4918 or firstname.lastname@example.org.