With the impending decision on how exactly the UK will leave the European Union, panic lurks. Again, we might add. After all, the launch of the GDPR last year already caused a lot of turmoil among organisations across Europe. All the more reason for anxiety and distress when it comes to a hard Brexit, which will have significant consequences that go way beyond privacy regulations, one could argue. Yet, we choose to think otherwise as there are many reasons not to panic.
First of all, panic has never served anyone. Keeping calm and using your common sense on the other hand has. Moreover, those who did succumb to feelings of panic last year probably regret doing so. This includes a large financial company that sent an alarming email of legal nature to some 200,000 people who, in turn, reacted in a panicky way by not responding to the opt-in. As a result, a very valuable database was lost overnight. Besides, the only fines we have seen so far include large players such as Facebook and Google. Speaking of which, Google was sanctioned by the CNIL, the French privacy authority, last month to pay a € 50 million fine for non-compliance with the GDPR. In this particular case, Google has unmistakably violated the key principles of transparency as defined by the GDPR. Also, these violations concerned not just a handful of people but some ten thousand as brought to the CNIL by an interest group.
Remember Safe Harbor
Back to Brexit and its implications on privacy management. In the Netherlands, several trade organisations have expressed their concerns about this topic. On one hand, this is a good thing. On the other, however, hitting the panic button by emphasizing possible substantial fines in the event of unauthorized personal data transfers to the UK will unnecessarily fuel feelings of distress. Remember Safe Harbor, the former privacy agreement for American companies with business in the EU? That agreement ceased to exist quite out of the blue too, but was soon replaced by the EU-US Privacy Shield. No real damage done.
There are several scenarios to be taken into account. These depend on whether or not the European Commission will take a so-called Adequacy Decision in accordance with article 45 of the GDPR. If so, privacy protection is presumed sufficient in the UK being a ‘third country with an adequate level of protection’ from an EU perspective. At this moment, this already applies to countries such as Switzerland, Canada and Argentina.
- Without an Adequacy Decision, either so-called Model Contracts, Binding Corporate Rules (BCR) for large organisations, a code of conduct or certification mechanisms must be put in place.
- With the issue of an Adequacy Decision, most things remain as they are now. Yet, differences in interpretation as well as enforcement of privacy matters may arise occasionally.
The European Data Protection Board (EDPB) builds upon the guidance provided on this matter by supervisory authorities and by the European Commission (EC). More information can be found on the site of the Dutch Privacy Authority (AP).