{"id":83,"date":"2016-07-02T07:15:55","date_gmt":"2016-07-02T07:15:55","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=83"},"modified":"2016-07-02T07:15:55","modified_gmt":"2016-07-02T07:15:55","slug":"brexit-privacy-compliance","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=83","title":{"rendered":"Brexit & Privacy Compliance"},"content":{"rendered":"

Ryan Meade<\/em>
\nEditor-in-Chief<\/em>
\n Director of Regulatory Compliance Studies at Loyola University Chicago School of Law<\/em><\/p>\n

 <\/p>\n

Now that the UK referendum has expressed the voters’ preference to\u00a0leave the European Union, there are some fascinating questions regarding how compliance programs deal with the unwinding. \u00a0There is still considerable time to wrestle with these matters\u00a0since both major candidates for the Conservative Party leadership (and, therefore, the candidates to be the new Prime Minister) have indicated that they would not trigger the two year withdrawal negotiations until 2017. \u00a0Over the coming months this blog will take a look at how the UK unravels itself out of\u00a0the regulatory tentacles of the EU. \u00a0We will examine this from the perspective of compliance programs which must educate and audit a company against existing laws. \u00a0Knowing what the laws are is the first step in knowing whether the organization is in compliance. \u00a0Knowing what the laws are is not always an easy proposition even during stable times, let along times of significant constitutional and legal change.<\/p>\n

Under a complex hierarchy of treaty commitments, there are various types of EU “laws” that\u00a0bind all Member States. \u00a0Sometimes the Member State does not need to do anything and the EU law binds, while under some circumstances the EU boldly requires a Member States’ legislature to pass a law, if not verbatim then substantially similar. \u00a0We see both types of laws in operation in privacy compliance.<\/p>\n

In 1995, the EU adopted the Data Privacy Directive (Directive 95\/46\/EC), which is one of the types of EU “laws” that requires the Members States to adopt it in their legislatures. \u00a0There was a significant change in the EU privacy landscape\u00a0in 2016 with the EU’s passing of the General Data Protection Regulation\u00a0(Regulation (EU) 2016\/679) (“GDPR”)<\/a>,\u00a0which repeals and replaces the 1995 Directive. \u00a0The GDPR will not be effective until May 25, 2018, but importantly it is an EU Regulation and does not need to be adopted by Member States to become law across the 28 countries that are currently part of the Union. \u00a0The GDPR has a dual purpose in trying to (1) promote privacy protection of personal data, and (2) create greater ease in the flow of data among Member States.\u00a0 This is a difficult mountain to climb for the GDPR inasmuch as there are very basic questions about whether it is feasible to increase a person’s rights over their personal data while at the same time making it easier for a third-party holding the data to exchange and move that data.\u00a0 On its face, the GDPR\u2019s goals seem irreconcilable without a very fine dance.<\/p>\n

A\u00a0significant departure in the GDPR from the 1995 Directive involves imposing more administrative structure on the controller of data in order to manage compliance with the GDPR and track both consents required by data subjects and the exercise of rights by those\u00a0subjects.\u00a0\u00a0Article 37 of the GDPR discusses a leader within the controller of data who must oversee the compliance efforts, this person being known as the \u201cdata protection officer.\u201d\u00a0 Not all controllers of data are required to appoint data protection officers. \u00a0The strict obligation applies mostly to two types of organizations: public institutions processing personal data and private companies that engage in \u201csystematic monitoring of data subjects on a large scale.” \u00a0Considering that the use of electronic cookies allows collection and tracking of enormous amounts of personal data, it seems hard to imagine that most companies that actively engage in collecting personal data via internet usage would not be subject to the data protection officer obligation. \u00a0Article 37(4) goes on to strongly encourage firms that are not required to appoint a data protection officer to voluntarily do so (\u201ccontrollers or processors may or, where required by Union or Member State law shall, designate a data protection officer\u201d) and tacitly encourages Member States to expand local jurisdiction beyond the GDRP’s requirements. \u00a0Even if an organization is not obligated by law or ethics to have a data protection officer it\u00a0would be prudent for\u00a0companies to have data protection officers to coordinate this task. The depth of the data protection officer is not yet tested as to whether it will be interpreted as being required of downstream contractors of companies that are required under the GDPR.<\/p>\n

All of the administrative details of how to comply with the GDPR strikes me as another iteration of a privacy compliance program. \u00a0Although the 1995 Directive does not obligate Member States to require privacy compliance programs, many large data users in the UK have prudentially established them. \u00a0The GDPR does not make a privacy compliance program a matter of prudence but a matter of obligation for a sizable number of companies.<\/p>\n

Brexit means UK firms would not be required to have privacy compliance programs — or does it? \u00a0Exiting the EU may take the UK up to two years to negotiate and so it is conceivable that\u00a0the UK would not leave until early or mid-2019. \u00a0Since the GDPR has a compliance date of May 2018, the UK is likely to still be under the privacy compliance program obligation for at least one-half of a year or more. \u00a0If invoking the exit clause (Article 50 of the Lisbon Treaty<\/a>) \u00a0does not happen until 2018 or later, then the GDPR would most certainly come into effect before the UK leave the EU. \u00a0But if the GDPR goes into effect after Article 50 is invoked but before complete withdrawal, what\u00a0should a firm do in that time period? \u00a0Presumably the company will be expected to\u00a0comply with EU law because the GDPR\u00a0will be “law” in the UK until the UK formally leaves the European Union. \u00a0But the question of whether or not to comply may be moot for a large number of controllers of data because the obligation runs to any firm that is operating in the EU. \u00a0If a UK company is required to comply with the GDPR before the UK withdraws from the EU and the company continues to do work in the EU after Brexit, then the company will be required to comply with the GDPR as a condition for doing business in the EU. \u00a0The European Union flag may no longer fly in the island realm but it will\u00a0be very difficult as a practical matter for the UK\u00a0to\u00a0disentangle its legal obligations under the EU when companies do business on the continent. \u00a0But it is a red herring to think that the\u00a0UK will be\u00a0alone in the predicament of many UK-based companies needing to comply with EU law even once the company’s primary jurisdiction is not subject to the EU; the GDPR obligations apply to any company in the world doing business in the EU, whether that company be US-based, China-based, or UK (post-Brexit)-based.<\/p>\n

While many UK companies still face long-term privacy compliance obligations under the GDPR after Brexit, before the UK leaves the EU there will be a curious\u00a0period in which to observe how a country deals with new laws that it\u00a0knows will sunset soon. \u00a0We will see many\u00a0short-term compliance periods\u00a0over the next two years as new EU laws transition in while the UK\u00a0transitions out.<\/p>\n

<\/a><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Ryan Meade Editor-in-Chief Director of Regulatory Compliance Studies at Loyola University Chicago School of Law   Now that the UK referendum has expressed the voters’ preference to\u00a0leave the European Union, there are some fascinating questions regarding how compliance programs deal with the unwinding. \u00a0There is still considerable time to wrestle with these matters\u00a0since both major …
Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[323,766,936,1152,1157,1623,2038],"class_list":["post-83","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-brexit","tag-eu","tag-gdpr","tag-international-affairs","tag-international-privacy","tag-cybersecurity","tag-uk"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/83","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=83"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/83\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}