Brexit and Data Privacy Issues
The smooth transfer of personal data between the European Union and the UK is of critical importance for many British and Continental businesses and may be jeopardized by the Brexit process.
The 1995 EU Directive on Privacy establishes EU citizens’ right to privacy, including the protection of their personal data and the “right to be forgotten” from search engines.
Countries that conform to these rules receive “adequacy agreements” that allow their data to be transferred across borders. Some countries have been deemed as providing fully adequate data protection; the U.S. is only partly adequate and has a separate agreement with the EU. Until Brexit is completed, the UK doesn’t have to prove its adequacy. But afterwards, it may or may not be granted an adequacy decision due to “considerable uncertainties” around its impending departure.
Mass data surveillance and intelligence sharing with U.S. at odds with EU privacy laws
The 2016 UK law allowing mass data surveillance for security reasons likely is in violation of EU privacy laws. Furthermore, the UK shares intelligence with non-EU countries Australia, Canada, New Zealand and the U.S.. The EU is worried its citizens’ data is being accessed by the members of the so-called “Five Eyes” agreement without proper, sovereign control. This is one of the key reasons why the UK might not be granted an adequacy agreement upon Brexit.
Should the UK not be deemed “adequate”, British firms would be allowed to transfer data only if they agreed to regular compliance audits ; adding insult to injury, they would need authorization by 27 national data protection authorities throughout the EU or at least in every single country where they want to do business.
An update to current UK data-protection laws may go further than EU rules; nevertheless, the EU probably will not decide on the UK’s adequacy until after it is officially out of the Union. Until then, uncertainty is the name of the game.