Director of Regulatory Compliance Studies at Loyola University Chicago School of Law
Now that the UK referendum has expressed the voters’ preference to leave the European Union, there are some fascinating questions regarding how compliance programs deal with the unwinding. There is still considerable time to wrestle with these matters since both major candidates for the Conservative Party leadership (and, therefore, the candidates to be the new Prime Minister) have indicated that they would not trigger the two year withdrawal negotiations until 2017. Over the coming months this blog will take a look at how the UK unravels itself out of the regulatory tentacles of the EU. We will examine this from the perspective of compliance programs which must educate and audit a company against existing laws. Knowing what the laws are is the first step in knowing whether the organization is in compliance. Knowing what the laws are is not always an easy proposition even during stable times, let along times of significant constitutional and legal change.
Under a complex hierarchy of treaty commitments, there are various types of EU “laws” that bind all Member States. Sometimes the Member State does not need to do anything and the EU law binds, while under some circumstances the EU boldly requires a Member States’ legislature to pass a law, if not verbatim then substantially similar. We see both types of laws in operation in privacy compliance.
In 1995, the EU adopted the Data Privacy Directive (Directive 95/46/EC), which is one of the types of EU “laws” that requires the Members States to adopt it in their legislatures. There was a significant change in the EU privacy landscape in 2016 with the EU’s passing of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), which repeals and replaces the 1995 Directive. The GDPR will not be effective until May 25, 2018, but importantly it is an EU Regulation and does not need to be adopted by Member States to become law across the 28 countries that are currently part of the Union. The GDPR has a dual purpose in trying to (1) promote privacy protection of personal data, and (2) create greater ease in the flow of data among Member States. This is a difficult mountain to climb for the GDPR inasmuch as there are very basic questions about whether it is feasible to increase a person’s rights over their personal data while at the same time making it easier for a third-party holding the data to exchange and move that data. On its face, the GDPR’s goals seem irreconcilable without a very fine dance.
A significant departure in the GDPR from the 1995 Directive involves imposing more administrative structure on the controller of data in order to manage compliance with the GDPR and track both consents required by data subjects and the exercise of rights by those subjects. Article 37 of the GDPR discusses a leader within the controller of data who must oversee the compliance efforts, this person being known as the “data protection officer.” Not all controllers of data are required to appoint data protection officers. The strict obligation applies mostly to two types of organizations: public institutions processing personal data and private companies that engage in “systematic monitoring of data subjects on a large scale.” Considering that the use of electronic cookies allows collection and tracking of enormous amounts of personal data, it seems hard to imagine that most companies that actively engage in collecting personal data via internet usage would not be subject to the data protection officer obligation. Article 37(4) goes on to strongly encourage firms that are not required to appoint a data protection officer to voluntarily do so (“controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer”) and tacitly encourages Member States to expand local jurisdiction beyond the GDRP’s requirements. Even if an organization is not obligated by law or ethics to have a data protection officer it would be prudent for companies to have data protection officers to coordinate this task. The depth of the data protection officer is not yet tested as to whether it will be interpreted as being required of downstream contractors of companies that are required under the GDPR.
All of the administrative details of how to comply with the GDPR strikes me as another iteration of a privacy compliance program. Although the 1995 Directive does not obligate Member States to require privacy compliance programs, many large data users in the UK have prudentially established them. The GDPR does not make a privacy compliance program a matter of prudence but a matter of obligation for a sizable number of companies.
Brexit means UK firms would not be required to have privacy compliance programs — or does it? Exiting the EU may take the UK up to two years to negotiate and so it is conceivable that the UK would not leave until early or mid-2019. Since the GDPR has a compliance date of May 2018, the UK is likely to still be under the privacy compliance program obligation for at least one-half of a year or more. If invoking the exit clause (Article 50 of the Lisbon Treaty) does not happen until 2018 or later, then the GDPR would most certainly come into effect before the UK leave the EU. But if the GDPR goes into effect after Article 50 is invoked but before complete withdrawal, what should a firm do in that time period? Presumably the company will be expected to comply with EU law because the GDPR will be “law” in the UK until the UK formally leaves the European Union. But the question of whether or not to comply may be moot for a large number of controllers of data because the obligation runs to any firm that is operating in the EU. If a UK company is required to comply with the GDPR before the UK withdraws from the EU and the company continues to do work in the EU after Brexit, then the company will be required to comply with the GDPR as a condition for doing business in the EU. The European Union flag may no longer fly in the island realm but it will be very difficult as a practical matter for the UK to disentangle its legal obligations under the EU when companies do business on the continent. But it is a red herring to think that the UK will be alone in the predicament of many UK-based companies needing to comply with EU law even once the company’s primary jurisdiction is not subject to the EU; the GDPR obligations apply to any company in the world doing business in the EU, whether that company be US-based, China-based, or UK (post-Brexit)-based.
While many UK companies still face long-term privacy compliance obligations under the GDPR after Brexit, before the UK leaves the EU there will be a curious period in which to observe how a country deals with new laws that it knows will sunset soon. We will see many short-term compliance periods over the next two years as new EU laws transition in while the UK transitions out.