The UK’s referendum result in June 2016 defied all the pollsters when the nation voted to cut ties with the European Union and go it alone. The shock result caused political upheaval, a tumbling FTSE 100 and economic uncertainty. While the UK scrambles to determine how Brexit will play out, what ramifications might already be starting to unfold across British businesses and organisations, particularly those operating in the retail sectors?
Recent developments in data protection laws in the UK, the EU and those affecting data transfers to the US, may have been rather overshadowed by the Brexit vote in the UK this summer, but it’s important to consider where this leaves global retail businesses as they continue to handle the personal information of UK customers and contacts.
For businesses who transfer the personal data of customers located in the UK to non-EU locations, there have always been various options available to ensure this information can be transferred without being in breach of UK and EU data protection laws.
Transfers of data from within the EU to US companies took a surprise blow towards the end of 2015, when the Schrems campaign group secured a game-changing declaration from the Court of Justice for the EU (CJEU), declaring the ‘Safe Harbour’ scheme invalid. The Safe Harbour scheme had, until this point in October 2015, provided the basis upon which a US organisation could self-certify its ability to protect the privacy of individuals about whom it held personal data. Compliance within this scheme also allowed EU-based organisations to transfer information without being in breach of data protection legislation. So, if your website’s card payment service is supplied by a US provider (and many are based out of the Fintech Hub in Atlanta, USA), then this type of regular transfer of customer information is critical to the smooth running of your website.
The primary options for achieving compliance whilst making such a transfer of customer information from within the EU to outside the EU currently rely on one of the following:
1. Adequate levels of protection – the data is only being transferred to one of a very limited list of countries which has been declared by the EU as providing an adequate level of protection.
2. Binding corporate rules – the transfer is between group companies and is governed by a set of rules approved by the Information Commissioner in the UK between a UK company and members of its own group of companies.
3. Standard Contractual Clauses (SCC) – the transfer is governed by a contract incorporating the EU-approved model clauses for data transfer; or
4. Express consent – the individuals involved have expressly given their consent to the transfer of their data outside the EU.
The most common approach tends to be a combination of consent of the individuals concerned and use of contracts incorporating the EU-approved SCC.
After the surprise overturning of the Safe Harbour scheme just over a year ago, the EU and the US worked hurriedly to develop an alternative called the “Privacy Shield”. This is becoming an increasingly important transfer mechanism. Perhaps more notably, for transfers to countries outside the EU and the US, the campaign group behind the Safe Harbour legal action has also initiated something similar, calling into question the use of SCC. Its action, instigated in Ireland, has already been referred to the CJEU, with every chance of another disruptive decision.
So, any organisation that has been relying on the SCC to ensure its compliance in transferring data from or about UK or EU customers or contacts will need to watch that particular action for developments. Similar quick reactions might be needed by the regulatory bodies as well as retailers handling customer data if another disruptive judgment is on the cards.
In other developments, the new EU General Data Protection Regulation (GDPR) came into force in May 2016 and will now automatically take effect throughout the EU (including the UK if it is still part of the EU at that time) from 25 May 2018.
Should Brexit alter the approach to data protection being taken by any retailer handling the data of its UK based customers? In short, no, because Brexit will take time.
It is highly unlikely that the UK will leave the EU before the expiry of the two-year time limit, even after issuing the Article 50 notice which triggers negotiations with the EU. Therefore, there’s at least a two-year window during which compliance will need to be abided by under the current UK Act and EU Directive.
That is, until the GDPR takes effect in May 2018, at which point those handling UK customer data or selling their goods and services into the UK market will need to comply with the new GDPR. In fact, in November 2016, the Secretary of State for Culture, Media and Sport confirmed that as the UK will still be a member of the EU in May 2018, businesses do need to continue to plan for full compliance with the GDPR.
In all likelihood, and the Secretary of State’s recent comments support this approach, the UK data protection regime will have to adapt to align itself closely with the new approach in the GDPR, regardless of Brexit. Once the UK is outside the EU, it is going to need something very similar to the GDPR in place in order to make transfers from the EU to the UK compliant.
By looking to achieve good data protection compliance now and by adapting to the developing data protection landscape, any global retailer will be able to achieve an element of future-proofing as the UK data protection regime adjusts to accommodate Brexit, no matter how far off it may seem at present.
Emma Roe is a partner at Shulmans LLPImage credits: