Beyond GDPR: How Brexit Affects Other Data Laws

Jun 20, 2019

By Dawn Ingley


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Since the United Kingdom (UK) voted in June, 2016, to exit the European Union (i.e., “Brexit”), the question in many minds has been, “Whither GDPR?”  After all, the UK was a substantial contributor to this legislation. The UK has offered assurances that it intends to, in large part, harmonize its data protection laws with GDPR. However, GDPR isn’t the only law or regulation which governs data protection in the European Union. And in some cases, the answers for the UK in a post-Brexit world are far less clear.

Privacy and Electronic Communications Regulations (PECR)

The PECR rules address marketing, cookies and electronic communications such as emails, texts and faxes. PECR is established within the UK framework of laws and so even after Brexit takes effect, it would continue to apply to the UK. The issue, however, is that PECR will be replaced, most likely in the next two years, by the ePrivacy Regulation, which is designed to be a complement to GDPR. The ePrivacy Regulation addresses personal privacy across electronic communications in a more specific manner than does GDPR. Specifically:

  • Metadata associated with online communications content must be anonymized or deleted if users do not provide consent to it being retained.
  • With limited exceptions, online web surfers must be given the option of tiered cookie policies in which consent may be withdrawn at any time.
  • It clarifies that it applies to machine-to-machine communications that may typically occur in an IoT setting.

How and whether the UK chooses to incorporate the ePrivacy Regulation into its set of data protection laws depends in large part upon whether the Brexit Withdrawal Agreement is ratified. If the ePrivacy Regulation were to take effect during any Brexit transition period as set forth in the Brexit Withdrawal Agreement, then the new regulation would automatically become part of UK law. However, if the ePrivacy Regulation were not to be finalized during the transition period outlined in the Brexit Withdrawal Agreement, then a likely scenario is that the UK retains PECR—which creates complications in that it is based on GDPR’s predecessor legislation, the EU Directive.

Directive on Security of Network and Information Systems (NIS)

NIS provides a set of parameters aimed at securing critical network and other technology systems. It is aimed primarily at digital service providers such as search engines, cloud computing services and online marketplaces. As with PECR, NIS laws are specifically set forth in UK laws, and so will continue to apply after Brexit. One important caveat exists, however—if the UK is unable to negotiate a Brexit deal prior to the October 31, 2019, deadline, then UK companies may be required to comply with adhere to the locally implemented NIS laws of other member states in which it provides products or services.

Electronic Identification, Authentication and Trust Services Regulation (eIDAS)

eIDAS regulates European electronic identification, authentication and trust services. As eIDAS isn’t incorporated into UK laws or regulations, eIDAS will cease to exist for purposes of the UK. The UK government has indicated recently that it intends to implement its own identification/authentication rules once Brexit takes effect.

Uncertainty around eIDAS applicability is particularly concerning, in that its very purpose was to create standardization across technologies such as electronic signatures and related trust services. Ideally, this critical need for standardization will drive British authorities to closely model their own regulations after eIDAS.

Taken as a whole, the impact of Brexit upon business both within and outside the EU is considerable, and these uncertainties make a large problem even more complex. For those nations (and more specifically, businesses) outside of the EU, it is likely that they will need to develop one playbook for doing business in and with the businesses in the EU, and another playbook for dealing with the UK. Indeed, the playbooks will overlap in some respects, but even if just viewing these issues through the lens of data protection, Brexit creates an entirely new scenario in which the UK is fundamentally its own country with its own rules.

OTHER THOUGHT LEADERSHIP POSTS:

Beyond GDPR: How Brexit Affects Other Data Laws

By Dawn Ingley | Since the United Kingdom (UK) voted in June, 2016, to exit the European Union (i.e., “Brexit”), the question in many minds has been, “Whither GDPR?” After all, the UK was a substantial contributor to this legislation. The UK has offered assurances that that it intends to, in large part, harmonize its data protection laws with GDPR.

San Francisco Says The Eyes Don’t Have It: Setting Limits on Facial Recognition Technology

By Jennifer Thompson | On May 14, 2019, the San Francisco Board of Supervisors voted 8-1 to approve a proposal that will ban all city agencies, including law enforcement entities, from using facial recognition technologies in the performance of their duties.

NYC’s Task Force to Tackle Algorithmic Bias: A Study in Inertia

By Linda Henry | In December, 2017 the New York City Council passed Local Law 49, the first law in the country designed to address algorithmic bias and discrimination occurring as a result of algorithms used by City agencies.

U.S. Lawmakers Want Companies to Check their Bias

By Linda Henry | Although algorithms are often presumed to be objective and unbiased, technology companies are under increased scrutiny for alleged discriminatory practices related to their use of artificial intelligence.

The Weight of “GDPR Lite”

By Dawn Ingley | In June, 2018, California’s legislature took the first steps to ensure that the state’s approach to data privacy was trending more closely to the European Union’s General Data Protection Regulation (GDPR), the de facto global industry standard for data protection. Though legislators have acknowledged that further refinements to the California Consumer Privacy Act (CCPA) will be necessary in the coming months, its salient requirements are known.

The ABA’s Valentine’s Gift to Same-Sex Couples: Formal Opinion 458 Requires Judges to Perform Marriages

By Jennifer Thompson | On Valentine’s Day, the American Bar Association (ABA) Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 485, entitled “Judges Performing Same-Sex Marriages,” stating that judges may not decline to perform marriages for couples of the same sex.

The Intersection of Artificial Intelligence and the Model Rules of Professional Conduct

By Linda Henry | Artificial intelligence is transforming the legal profession and attorneys are increasingly using AI-powered software to assist with a wide rage of tasks, ranging from due diligence review, issue spotting during the contract negotiation process and predicting case outcomes.

Follow the Leader: Will Congressional and Corporate Push for Federal Privacy Regulations Leave Some Technology Giants in the Dust?

By Dawn Ingley | On October 24, 2018, Apple CEO Tim Cook, one of the keynote speakers at the International Conference of Data Protection and Privacy Commissioners Conference, threw down the gauntlet when he assured an audience of data protection professionals that Apple fully supports a “GDPR-like” federal data privacy law in the United States.

Yes, Lawyers Too! ABA Formal Opinion 483 and the Affirmative Duty to Inform Clients of Data Breaches

By Jennifer Thompson | Developments in the rules and regulations governing data breaches happen as quickly as you can click through the headlines on your favorite news media site.  Now, the American Bar Association (“ABA”) has gotten in on the action and is mandating that attorneys notify current clients of real or substantially likely data breaches where confidential client information is or may be compromised.

GDPR Compliance and Blockchain: The French Data Protection Authority Offers Initial Guidance

By Linda Henry | The French Data Protection Authority (“CNIL”) recently became the first data protection authority to provide guidance as to how the European Union’s General Data Protection Regulation (“GDPR”) applies to blockchain.