You are in:
Home » Guest Comment » GUEST COMMENT Brexit and other EU adventures – what’s the impact on how a global retailer handles its customer data?
GUEST COMMENT Brexit and other EU adventures – what’s the impact on how a global retailer handles its customer data?
This is an archived article -
we have removed images and other assets but have left the text unchanged for your reference
The UK’s referendum result in June 2016 defied all the pollsters when the nation voted to cut ties with the European Union and go it alone. The shock result caused political upheaval, a tumbling FTSE 100 and economic uncertainty. While the UK scrambles to determine how Brexit will play out, what ramifications might already be starting to unfold across British businesses and organisations, particularly those operating in the retail sectors?
Recent developments in data protection laws in the UK, the EU and those affecting data transfers to the US, may have been rather overshadowed by the Brexit vote in the UK this summer, but it’s important to consider where this leaves global retail businesses as they continue to handle the personal information of UK customers and contacts.
For businesses who transfer the personal data of customers located in the UK to non-EU locations, there have always been various options available to ensure this information can be transferred without being in breach of UK and EU data protection laws.
Transfers of data from within the EU to US companies took a surprise blow towards the end of 2015, when the Schrems campaign group secured a game-changing declaration from the Court of Justice for the EU (CJEU), declaring the ‘Safe Harbour’ scheme invalid. The Safe Harbour scheme had, until this point in October 2015, provided the basis upon which a US organisation could self-certify its ability to protect the privacy of individuals about whom it held personal data. Compliance within this scheme also allowed EU-based organisations to transfer information without being in breach of data protection legislation. So, if your website’s card payment service is supplied by a US provider (and many are based out of the Fintech Hub in Atlanta, USA), then this type of regular transfer of customer information is critical to the smooth running of your website.
The primary options for achieving compliance whilst making such a transfer of customer information from within the EU to outside the EU currently rely on one of the following:
1. Adequate levels of protection – the data is only being transferred to one of a very limited list of countries which has been declared by the EU as providing an adequate level of protection.
2. Binding corporate rules – the transfer is between group companies and is governed by a set of rules approved by the Information Commissioner in the UK between a UK company and members of its own group of companies.
3. Standard Contractual Clauses (SCC) – the transfer is governed by a contract incorporating the EU-approved model clauses for data transfer; or
4. Express consent – the individuals involved have expressly given their consent to the transfer of their data outside the EU.
The most common approach tends to be a combination of consent of the individuals concerned and use of contracts incorporating the EU-approved SCC.
After the surprise overturning of the Safe Harbour scheme just over a year ago, the EU and the US worked hurriedly to develop an alternative called the “Privacy Shield”. This is becoming an increasingly important transfer mechanism. Perhaps more notably, for transfers to countries outside the EU and the US, the campaign group behind the Safe Harbour legal action has also initiated something similar, calling into question the use of SCC. Its action, instigated in Ireland, has already been referred to the CJEU, with every chance of another disruptive decision.
So, any organisation that has been relying on the SCC to ensure its compliance in transferring data from or about UK or EU customers or contacts will need to watch that particular action for developments. Similar quick reactions might be needed by the regulatory bodies as well as retailers handling customer data if another disruptive judgment is on the cards.
In other developments, the new EU General Data Protection Regulation (GDPR) came into force in May 2016 and will now automatically take effect throughout the EU (including the UK if it is still part of the EU at that time) from 25 May 2018.
Should Brexit alter the approach to data protection being taken by any retailer handling the data of its UK based customers? In short, no, because Brexit will take time.
It is highly unlikely that the UK will leave the EU before the expiry of the two-year time limit, even after issuing the Article 50 notice which triggers negotiations with the EU. Therefore, there’s at least a two-year window during which compliance will need to be abided by under the current UK Act and EU Directive.
That is, until the GDPR takes effect in May 2018, at which point those handling UK customer data or selling their goods and services into the UK market will need to comply with the new GDPR. In fact, in November 2016, the Secretary of State for Culture, Media and Sport confirmed that as the UK will still be a member of the EU in May 2018, businesses do need to continue to plan for full compliance with the GDPR.
In all likelihood, and the Secretary of State’s recent comments support this approach, the UK data protection regime will have to adapt to align itself closely with the new approach in the GDPR, regardless of Brexit. Once the UK is outside the EU, it is going to need something very similar to the GDPR in place in order to make transfers from the EU to the UK compliant.
By looking to achieve good data protection compliance now and by adapting to the developing data protection landscape, any global retailer will be able to achieve an element of future-proofing as the UK data protection regime adjusts to accommodate Brexit, no matter how far off it may seem at present.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
You are in: Home » Guest Comment » GUEST COMMENT Brexit and other EU adventures – what’s the impact on how a global retailer handles its customer data?
GUEST COMMENT Brexit and other EU adventures – what’s the impact on how a global retailer handles its customer data?
by Emma Roe
This is an archived article - we have removed images and other assets but have left the text unchanged for your reference
The UK’s referendum result in June 2016 defied all the pollsters when the nation voted to cut ties with the European Union and go it alone. The shock result caused political upheaval, a tumbling FTSE 100 and economic uncertainty. While the UK scrambles to determine how Brexit will play out, what ramifications might already be starting to unfold across British businesses and organisations, particularly those operating in the retail sectors?
Recent developments in data protection laws in the UK, the EU and those affecting data transfers to the US, may have been rather overshadowed by the Brexit vote in the UK this summer, but it’s important to consider where this leaves global retail businesses as they continue to handle the personal information of UK customers and contacts.
For businesses who transfer the personal data of customers located in the UK to non-EU locations, there have always been various options available to ensure this information can be transferred without being in breach of UK and EU data protection laws.
Transfers of data from within the EU to US companies took a surprise blow towards the end of 2015, when the Schrems campaign group secured a game-changing declaration from the Court of Justice for the EU (CJEU), declaring the ‘Safe Harbour’ scheme invalid. The Safe Harbour scheme had, until this point in October 2015, provided the basis upon which a US organisation could self-certify its ability to protect the privacy of individuals about whom it held personal data. Compliance within this scheme also allowed EU-based organisations to transfer information without being in breach of data protection legislation. So, if your website’s card payment service is supplied by a US provider (and many are based out of the Fintech Hub in Atlanta, USA), then this type of regular transfer of customer information is critical to the smooth running of your website.
The primary options for achieving compliance whilst making such a transfer of customer information from within the EU to outside the EU currently rely on one of the following:
1. Adequate levels of protection – the data is only being transferred to one of a very limited list of countries which has been declared by the EU as providing an adequate level of protection.
2. Binding corporate rules – the transfer is between group companies and is governed by a set of rules approved by the Information Commissioner in the UK between a UK company and members of its own group of companies.
3. Standard Contractual Clauses (SCC) – the transfer is governed by a contract incorporating the EU-approved model clauses for data transfer; or
4. Express consent – the individuals involved have expressly given their consent to the transfer of their data outside the EU.
The most common approach tends to be a combination of consent of the individuals concerned and use of contracts incorporating the EU-approved SCC.
After the surprise overturning of the Safe Harbour scheme just over a year ago, the EU and the US worked hurriedly to develop an alternative called the “Privacy Shield”. This is becoming an increasingly important transfer mechanism. Perhaps more notably, for transfers to countries outside the EU and the US, the campaign group behind the Safe Harbour legal action has also initiated something similar, calling into question the use of SCC. Its action, instigated in Ireland, has already been referred to the CJEU, with every chance of another disruptive decision.
So, any organisation that has been relying on the SCC to ensure its compliance in transferring data from or about UK or EU customers or contacts will need to watch that particular action for developments. Similar quick reactions might be needed by the regulatory bodies as well as retailers handling customer data if another disruptive judgment is on the cards.
In other developments, the new EU General Data Protection Regulation (GDPR) came into force in May 2016 and will now automatically take effect throughout the EU (including the UK if it is still part of the EU at that time) from 25 May 2018.
Should Brexit alter the approach to data protection being taken by any retailer handling the data of its UK based customers? In short, no, because Brexit will take time.
It is highly unlikely that the UK will leave the EU before the expiry of the two-year time limit, even after issuing the Article 50 notice which triggers negotiations with the EU. Therefore, there’s at least a two-year window during which compliance will need to be abided by under the current UK Act and EU Directive.
That is, until the GDPR takes effect in May 2018, at which point those handling UK customer data or selling their goods and services into the UK market will need to comply with the new GDPR. In fact, in November 2016, the Secretary of State for Culture, Media and Sport confirmed that as the UK will still be a member of the EU in May 2018, businesses do need to continue to plan for full compliance with the GDPR.
In all likelihood, and the Secretary of State’s recent comments support this approach, the UK data protection regime will have to adapt to align itself closely with the new approach in the GDPR, regardless of Brexit. Once the UK is outside the EU, it is going to need something very similar to the GDPR in place in order to make transfers from the EU to the UK compliant.
By looking to achieve good data protection compliance now and by adapting to the developing data protection landscape, any global retailer will be able to achieve an element of future-proofing as the UK data protection regime adjusts to accommodate Brexit, no matter how far off it may seem at present.
Emma Roe is a partner at Shulmans LLP
Read More
You may also like
Register for Newsletter
Receive 3 newsletters per week
Gain access to all Top500 research
Personalise your experience on IR.net