Irony Alert, Brexit Britain: Comply With EU Privacy LawPrivacy Commissioner Says Future UK Law Will Likely Mirror GDPR Anyway
Even though the U.K. is preparing to exit the EU, British businesses must prepare to comply with the EU's new data privacy law.
That was the message from Elizabeth Denham, the new U.K. information commissioner, who leads the independent British agency that oversees enforcement of the country's privacy laws.
"The major shift in the law is about giving consumers control over their data."
"The fact is, no matter what the future legal relationship between the U.K. and Europe, personal information will need to flow," Denham said Sept. 29 in London during her first speech since taking charge of the Information Commissioner's Office.
Denham says the ICO will issue guidance on complying with the EU's new General Data Protection Regulation.
"In a global economy, we need consistency of law and standards - the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent," she said. "For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the U.K."
Britain is in the midst of massive political change as the country's ruling conservative party - the Tories - attempts to figure out how to implement the results of the country's June referendum on EU membership. In the referendum, a majority of Brits voted for their country to "Brexit" the EU.
What that means, however, remains unclear. Prime Minister Theresa May now says that in six months, she'll invoke "Article 50" of the Treaty on European Union, which gives Britain two years to negotiate its EU exit. Or maybe Parliament will do the invoking - that question remains the focus of several current Brexit-related legal challenges.
Reminder: GDPR Already in Force
While the government attempts to sort through the Brexit mess it helped create, there's a privacy deadline approaching.
"It is extremely likely that GDPR will be live before the U.K. leaves the European Union," Denham said. "Remember that the GDPR is actually already in force, it is just that member states are not obligated to apply it until May 25, 2018."
In other words, until Britain leaves the EU, British businesses need to ensure that they comply with GDPR. The clock is ticking; less than 19 months remain before the deadline.
Numerous privacy law experts have been advising U.K. businesses to not delay their efforts. "To avoid disrupting the company too much with major, last-minute changes, and incurring substantial costs in the process, it is vital that businesses operating in the EU take steps now to move towards compliance with the GDPR," data protection law specialist Annabelle Richard of the law firm Pinsent Masons says in a blog post. "Waiting until early 2018 or even late 2017 will be too late."
Future Privacy Requirements
Even after Britain exits the EU, Denham says its privacy laws will likely mirror the new EU law.
"GDPR brings in new elements - and a more 21st century approach - the right of consumers to data portability is new, as is mandatory data breach reporting, higher standards of consent, and significantly larger fines for when companies get things wrong," Denham said. "But the major shift in the law is about giving consumers control over their data. It ties in with building trust and is also part of the ICO's philosophy."
The EU law is a reminder to not mess with Europeans' privacy rights. GDPR allows EU regulators to fine any organization that violates the law up to 4 percent of its global annual revenue or €20 million ($22.5 million) - whichever is greater. And it requires businesses to notify authorities - in the U.K., that would be the ICO - whenever they experience a data breach, in most cases within 72 hours.
One of the ironies of Brexit is this: Any U.K. business that works with Europeans' personal information will still have to comply with GDPR after the U.K. leaves the EU - but without its government having any say in how the law gets enforced or revised by EU countries.