Following the United Kingdom’s vote to leave the European Union, a decision swiftly regretted by many voters, companies in Europe are now faced with a host of questions. Will they be able to exchange data with businesses in England, Scotland, Wales and Northern Ireland in the future? Under what conditions? How securely is data stored there? And how will data protection legislation change in the UK after Brexit?
As long as the UK remains a member of the EU – and that is something which won’t change for some time despite the referendum results – it’s business as usual. But as soon as the country officially notifies the European Council of its intention to withdraw from the European Union and one of the country’s political representatives has signed the papers, we can expect the following to happen:
Joining the queue and putting the kettle on
Transferring data to the United Kingdom will no longer mean transferring it to another EU member state, but to a third country. That could lead to one of three scenarios in terms of the form which bilateral data-based relationships with British companies, data centers, and software and cloud storage providers can take: The UK is still a member of the EEA and is therefore subject to similar data protection regulations as EEA member states Norway, Iceland and Liechtenstein. These countries have been declared by the European Commission as offering the necessary level of protection when it comes to adequacy decisions.
Reviewing the admissibility of data transfer to third countries
Or Britain could follow the Swiss model by recognizing and signing the relevant parts of EU law under special agreements. This could include the EU’s Data Protection Directive and Data Protection Regulation.
If the UK fails to reach an agreement with the EU, it will become a ‘third country’ and the same principles, caveats and restrictions apply to businesses in Europe as those that apply to other data transferred across borders elsewhere in the world, whether North or South America, Africa or Asia. Under EU data protection law, such countries are considered generally ‘unsecure’ and data protection requirements in Europe require data transfer and storage measures to be as comprehensive as possible in order to guarantee an adequate level of data protection.
This especially applies to personal data. A simple agreement on processing personal data in accordance with local regulation is no longer sufficient in this case.
We now need to wait and see what conditions the EU and the UK agree on after the resulting negotiations. Yet the fact remains that there will be a growing need and desire for solutions allowing companies to retain control over their data while enabling them to enjoy all the opportunities of flexible collaboration within and between businesses on the digital transformation of the company. The iExtranet from Oodrive can be hosted on-site as SaaS or in a private cloud, depending on requirements. Hosting in Europe is however always guaranteed for Oodrive customers in the country, as expressly stated in the Whitepaper on Secure File Sharing and Collaboration.
Privacy Shield 2.0
The negotiations on the EU-US Privacy Shield will now be cast in a new light given the developments in the UK. If new standards on data transfer are agreed between the EU and USA, there will be the potential to apply these conditions to the UK as well at a later point.
For the USA, following the ECJ’s declaration of Safe Harbor as invalid in October 2015, there is the possibility of ensuring a suitable level of data protection by having US-based data recipients self-certify. Its successor – known as the EU-US Privacy Shield – is currently under discussion.