One Less Brexit Worry: Privacy Shield Not Imperiled—For Now, Lawyers Say
As Thursday's U.K. vote to leave the EU has sparked concern among telecoms on the Continent (see 1606240021) and has led to many questions from U.S. telecom operators with European business (see 1606270075), it may not scotch an international data transfer deal, industry lawyers told us this week. The proposed trans-Atlantic data transfer agreement Europeans negotiated with the U.S. may be approved as early as next week, some said. The Article 31 Committee, comprised of EU's member state representatives, is to review the revised Privacy Shield Wednesday (see 1606270055) with a possible vote July 4, a European Commission spokeswoman told us Tuesday. That would set up a likely EC vote on the arrangement on the following day, she said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Several experts said they expect the proposal to be approved. "I am told there is a high likelihood that it will go through," emailed Linklaters (Brussels) privacy attorney Tanguy Van Overstraeten, referring to the EC passage. But some said that won't stop a court challenge of the agreement, which succeeds the safe harbor agreement nullified by the European Court of Justice in October.
Some in the Article 31 Committee "want a deal to be done especially given the upcoming hearing in Ireland over model contractual terms," emailed Jonathan Armstrong, an attorney with London-based Cordery. He was referring to the Irish High Court considering a lawsuit by Austrian lawyer Max Schrems regarding the validity of Facebook's use of model contract clauses, which some U.S. companies are using to legally transfer data (see 1606130002). "Even if a new Privacy Shield is blessed I don’t think it will be immune to court challenge for the same reasons as Safe Harbor was attacked -- which are also similar to the reasons for the new Irish challenge." The U.S. is doing better at explaining its laws in the Irish case, he said, saying U.S. officials have been contacting European politicians as well: "I think Privacy Shield will be tested in court and it's that uncertainty which will hamper it whichever way Art 31 decides.”
Some said Brexit's effect on Privacy Shield is negligible. Ogletree Deakins attorneys Simon McMenemy, Grant Petersen and Hendrik Muschal wrote in a blog post Monday that "with respect to companies transferring data from the United Kingdom (U.K.), the Brexit vote will not have any impact on the EU-U.S. Privacy Shield in the short-term, as Britain will not depart the EU until 2018 at the earliest." They said the U.K. will adopt something similar to Privacy Shield "to remain on equal footing with the EU." That view was largely shared by Hogan Lovells data protection attorney Eduardo Ustaran. He said the "real challenge" post-Brexit is how the U.K. would get data from the EU.
A Brexit government might "try and make its mark by rejecting anything that is seen as Brussels-born red tape and business-constraining," including data protection law, warned Ustaran in a Tuesday blog post. Data protection may be "obscure, difficult to understand and comply with, and a tad nerdy," but it's vital for any progressive jurisdiction that wants to support its businesses, protect its citizens and maximize the value of personal data," he wrote. The U.K. must make a "crucial public policy decision " about whether to carry on with adopting the EU general data protection regulation (GDPR), ignore it or do something in-between, he said.
Failure to adopt the GDPR risks the U.K. becoming an "inadequate" jurisdiction for data originating from the EU, Ustaran said. He said data protection law exists to give people some control over their personal information by ensuring that privacy intrusions are reasonable and tolerable in a democratic society. Without data protection, people's privacy will be exposed and their freedom compromised, he said: The U.K. government must "find a responsible and effective form of regulation, bearing in mind that information is global and precious.”
The U.K. Data Protection Act "remains the law of the land" regardless of the referendum result, said the Information Commissioner's Office in a statement last week. If Britain wants to trade with the EU single market on equal terms, it will have to prove adequacy by showing its data protection laws are equivalent to the GDPR, a spokesperson said: The ICO "will be speaking to government to present our view that reform of the UK law remains necessary.”