The excitement surrounding the unexpected Brexit results has drowned out less dramatic stories. With David Cameron’s resignation as Prime Minister and Jeremy Corbyn’s position as Leader of the Opposition increasingly precarious, a surging demand for Irish passports and the threatened departure of major corporate headquarters from London, data privacy developments have been relegated to the back pages. Yet those developments are significant: U.S. and E.U. negotiators have reached a breakthrough on Privacy Shield, a new data privacy arrangement. And analysts increasingly agree that the U.K. will almost certainly adhere to E.U. data privacy regulations, including Privacy Shield, whether or not it is a member of the E.U.
Readers will recall that European courts struck down Safe Harbor, the venerable U.S.-E.U. privacy management framework, in last Fall’s Schrems case. Over 4,000 American companies and tens of thousands of European ones had relied on the Safe Harbor framework. The Schrems decision left governments and corporations scrambling to replace Safe Harbor with a patchwork of temporary solutions such as model contracts, binding corporate rules and even the physical relocation of servers to European soil. In the meantime, American and European negotiators frantically worked to develop a new data regulatory scheme that would satisfy both sides yet be sufficiently robust to withstand the inevitable legal challenge.
Privacy Shield: Highlights
On June 24, media reports indicated that American and European negotiators had settled on the broad contours of a new post-Safe Harbor arrangement. If approved, the arrangement could come into effect as early as July 8. Privacy Shield, the new proposal, reportedly addressed the post-Snowden concerns raised by European privacy advocates, including the European Data Protection Supervisor. While negotiators have been officially discreet as individual European governments evaluate the proposals, the known details of Privacy Shield are intriguing.
Perhaps the most remarkable development is the contemplated appointment of a United States Ombudsperson. This newly created position would function as a single point of contact for European governments regarding data privacy matters, subsuming a role currently spread across a myriad of departments and agencies including State, Defense, Commerce, and the Federal Trade Commission. Not surprisingly, however, Privacy Shield requires that the Ombudsperson be independent of the U.S. intelligence community. E.U. citizens would be able to direct complaints regarding purported American data collection practices to the Ombudsperson.
Perhaps paradoxically, the U.S. agreed to have the Director of National Intelligence communicate written assurances that E.U. citizens would not be subject to mass surveillance. U.S. negotiators also shared details regarding the government’s data collection processes to assuage European concerns on this score.
In particular, the U.S. agreed that bulk collection of European data sent to the U.S. will only occur under particular conditions and that it will be as “targeted and focused” as possible. In the private sector, companies relying on Privacy Shield will adhere to data retention requirements mandating the destruction of data that no longer serves the purpose for which it was collected.
U.K. Developments: Brexit and “Adequacy” Determination
While the E.U. continues to represent the U.K. in the Privacy Shield negotiations, Brexit and its potential repercussions represent a large unknown variable in the future of European data regulation. In recent days, the U.K.’s Information Commissioner has stressed that the E.U. Data Protection Directive remains in effect for purposes of U.K. law. That result is largely driven by the fact that the U.K.’s Data Protection Act the Directive’s enabling legislation for U.K. subjects remains in force. For practical purposes, this means that E.U. standards will continue to define U.K. data standards for the immediate and intermediate future.
Moving forward, the need to comply with E.U. standards will constrain British flexibility in any future bilateral U.S.-U.K data protection accord. While both nations draw on an excellent relationship rooted in the Common Law and dating back to Bletchley Park and continuing to today’s “Five Eyes” network, British maneuvering room is limited by the practical necessity of compliance with E.U. standards. From that practical perspective, even ardent Brexit supporters do not advocate a complete divorce from Europe.
Instead, most propose a close economic relationship under an EEA-type arrangement of the sort that the E.U. already has with Iceland, Liechtenstein and Norway, and such an arrangement would necessitate compliance with E.U. standards. (In essence, EEA participants agree to many of the compliance and regulatory burdens of E.U. member states and receive market access to the E.U. in return; however, they have limited financial obligations to, and no political input within the E.U.)
Consistent with this EEA-style approach, the U.K. Information Commissioner has already stated that it will seek an E.U. “adequacy” determination establishing the U.K’s compliance with the E.U.’s newly approved General Data Protection Regulation. A spokeswoman for the office explained that, “If the U.K. wants to trade with the single market on equal terms we would have to prove adequacy’ – in other words, U.K. data protection standards would have to be equivalent to the EU’s General Data Protection Regulation (GDPR) framework starting in 2018.”
The real-world effect, as Brexit opponents warned, would be that E.U. standards would define U.K. regulations, and as an E.U. outsider, the U.K. would no longer be “at the table” developing those standards. Nor is the E.U. likely to offer London flexibility in any future discussions. Indeed, in an effort to avoid a “race-to-the-bottom” of renegotiated Brussels mandates, the E.U. has been adamant in opposing concessions: its treatment of Greece during the recent Euro crisis is the highest profile example, but even wealthy non-E.U. partners such as Switzerland have encountered stiff resistance.
Nevertheless, the U.K. wields clout that previous dissidents have not. It is Europe’s second largest economy and an important E.U. export market in its own right. And London has pointedly noted that absent enabling legislation, the Brexit referendum is of no independent legal significance. Moreover, it has made it clear that it is in no hurry to invoke Article 50 of the Treaty of Lisbon, which would begin the exit process. This has led to the apparent paradox wherein Brussels is pressing for an early British withdrawal while London is firmly favoring a deferred and gradual process to ensure all modalities are ironed out. Those modalities presumably include a mechanism to ensure that the U.K. data protection regime receives and retains a GPDR “adequacy” determination.
These dynamics are accentuated by the timetable. Assuming the U.K. invokes Article 50 sometime this Fall, Brexit is currently slated for Fall 2018, while the GPDR framework goes into effect in May 2018. Accordingly, during this interim period, the U.K. will be subject to, but also able to influence, the GPDR. But even after that period, a post-Brexit U.K. may hesitate to enter into bilateral arrangements with the U.S. that place its GDPR “adequacy” determination (and therefore its EEA data-hosting ability) at risk.
A harbinger of future events may lie in the fine print of a recent Amazon announcement. In that announcement, Amazon confirmed that it remains committed to opening a London data facility by 2017 notwithstanding Brexit. At the same time, Amazon offers clients concerned about U.K.-based hosting the choice of German or Irish servers. Notably, Amazon attributed this arrangement to customer preference, rather than regulatory regimes many E.U. clients, particularly Germans, remain most comfortable with data presence in their own country. Like many aspects of human nature, the precise legal nuances of a post-Brexit U.S.-U.K.-E.U. privacy shield is unlikely to alter that preference.
In the final analysis, the potential flux in the U.K. data protection regime underscores a fundamental point about the economic imperatives underlying regulation: the globalized nature of data processing, when combined with the size and attractiveness of E.U. markets, means that even a politically historic Brexit vote may turn out to be far less meaningful as a practical matter. To paraphrase a quintessentially British rock group, the E.U. will likely continue to have the U.K. (and the rest of the world) “under its thumb” when it comes to data privacy regulation. Or, as a popular American band might put it, the E.U. data privacy rules are a lot like the Hotel California: a nation may check out any time it likes, but it can never leave.
As expected, on July 8, the E.U. announced that individual member states approved Privacy Shield. This paves the way for formal approval by the U.S. and E.U. next week.
| © Poyner Spruill LLP. All rights reserved.