This week marks two momentous events that affect the cybersecurity industry directly. For us in the UK, January 31 marks the official ‘departure point’ for the UK from the European Union (EU), whilst today (January 28) is European Data Privacy Day.
Are the two linked? Will the final arrival of Brexit make a massive difference to the data privacy posture of the UK? Infosecurity met with Cordery’s Jonathan Armstrong to discuss the current situation.
Armstrong said that he felt that people were “making an effort on both sides” and the UK government and the Information Commissioner’s Office (ICO) have said that they are prepared for the transferring of data with the EU.
However, Armstrong added that there are several “little conflicts that seem insignificant” that could be quite impactful. For example, he explained that the EU-US Privacy Shield is still live, but there is an alternative Swiss scheme “that more or less mirrors EU-US privacy” which could be adapted by the UK. “I think we will end up with three schemes, but with one application form to join all three,” he said.
However, EU-UK data transfers are proving to be the problem, and there are plans to have something in place by the end of 2020. While Armstrong admitted that there is negativity around the likelihood of that happening, he was not so pessimistic as even under Brexit, GDPR will still apply because of data protection legislation passed whilst Theresa May was Prime Minister.
If new regulations on the tightening of terror laws also touch on data, though, “it gives us a harder time getting an adequacy finding” and this could lead to a further delay on agreeing data transfer laws. He also said that another factor is that the UK does not tend to pass laws fast, and sometimes they can take two/three years to be put in motion, and we are only at a stage where some work has been done on data transfers.
“There are also other issues, like will the UK still be part of the EU data protection law? There is a halfway house option where some EEA countries say ‘you can sit in the room but you cannot be chair or deputy chair and you cannot vote on some stuff’.’” Armstrong said this is the best the UK can hope for in some form, as UK businesses will have to report to individual countries’ data protection regulators in the local language, and some countries will treat foreign companies harsher than companies headquartered in their own countries.
So if a UK-headquartered company suffered a data breach, would they have to go to each national regulator where they have an office or business? “Yes possibly, but there is an equation where they could get a new lead data protection authority,” Armstrong said. “It may say that 90% of business is in France, so the joint regulator may be the UK ICO and the EU DPA. A lot of businesses will be creating their security posture based on guidance from the ICO, and if then you are governed by the Greek DPA, do you know if they correspond?”
Is it the case that we are still heading into the unknown, and we still don’t know the full details of where we are heading in the future of data protection post Brexit? He agreed, saying we may not know the detail until December as guidance is trying to be worked out by December 2020.
A slide deck seen by Infosecurity about the Internal EU27 preparatory discussions on the future relationship: Personal data protection (adequacy decisions) suggests that if the UK withdraws with an agreement on January 31 2020, it will have a transition period of 11 months for:
- Adoption of negotiating directives
- Conduct of negotiations
- Signature/conclusion and entry into force of future agreement by January 1 2021
The document said that “adequate personal data protection is an essential prerequisite for future relations” and that the Commission will endeavor to finalize adequacy assessment by the end 2020.
Armstrong said that the preferred the position of the European Commission and the UK is around the “adequacy decision,” which is “an essential prerequisite for future relations.”
Concluding, Armstrong acknowledged the lack of clarity around the deadlines, as while the door will not slam shut to negotiations on January 31, a December 31 deadline is also uncertain as the European Data Protection Board meets once a month, “and we don’t know if the ICO is in the meeting or not, and if they are, are they in a meeting as a full participant, or as a guest?”
In some cases, where the ICO is the lead regulator, there is a question on if it will pass over control or force through legislation in the next 10 days. “Also, who does the likes of BA and Marriott appeal to, as none of that has been thought through?”
Guidance issued by Cordery claims that “Brexit clearly will have an impact on data protection” as it is unlikely that the UK will weaken its data protection law, and data protection law is a key part of the UK legislative framework, and the UK has played a key role in developing GDPR and in enforcing data protection legislation.
However, many issues do remain unsolved and just as Brexit has rolled along seemingly unsolved since the June 2016 referendum, it doesn’t seem that the situation regarding the future of data protection is going to be easily resolved either.