The Legal Implications of Brexit to Data Protection and Privacy Laws
The referendum of the United Kingdom to leave the European Union has created numerous unanswered questions in the field of data protection and security. Brexit has left organizations in UK wondering whether and when will they have to comply with the requirements of the General Data Protection Regulation (GDPR), more importantly, with the GDRP coming into force on May 25, 2018.
UK's data protection laws are modeled upon EU laws. Regardless the relationship between the UK and the EU, there is still a great need to update data protection law to safeguard the growing digital economy.
In this LIVE Webcast, a panel of thought leaders and professionals assembled by The Knowledge Group will provide the audience with an in-depth analysis of the fundamentals as well as the legal implications of Brexit to Data Protection and Privacy Laws. Speakers will provide the key trends and important developments with regard to this significant topic.
Key topics include:
- Data Protection and Privacy - Implications of Brexit
- Changes to the Data Protection Regime
- Significant Influence of the General Data Protection Regulation (GDPR)
- Recent Trends and Developments
- Potential Risks and Pitfalls
Courtney Bowman, Litigation Associate
Tim Hickman, Attorney
White & Case
- The full impact of Brexit is still some way off. Negotiations are unlikely to be concluded before March 2019, and the implementation of the negotiated settlement may take several years. Meanwhile, enforcement of the General Data Protection Regulation (“GDPR”) begins on 25 Mary 2018.
- Consequently, there will be a period in which the GDPR is fully enforced in the UK, and businesses operating in the UK will need to become GDPR compliant. In short, Brexit will not save UK businesses from the GDPR.
- After Brexit becomes effective, the UK government has indicated that it will effectively implement the GDPR into domestic law. The reason for this is that data transfers to the UK from the remaining 27 EU Member states will become significantly harder unless the UK secures an “adequacy decision” from the European Commission. Such a decision is unlikely unless the UK has a domestic law that reflects the data protection standards set out in the GDPR. As a result, even after Brexit becomes effective, UK businesses will still face GDPR-style compliance obligations.
- However, post-Brexit (even assuming that the UK obtains an adequacy decision) there will still be some important differences between the UK and the remaining 27 EU Member States. Most importantly, businesses will not be able to have their “main establishment” in the UK. UK businesses with operations in the remaining EU Member States will therefore be regulated , for EU purposes, by the Data Protection Authority of one of the remaining EU Member States.
- A few other components of Brexit that may not seem to be directly related to data protection still will have an impact on that area. For example, one of the outstanding issues is whether and to what extent the UK will remain bound by (or, perhaps more likely, influenced by) decisions passed down by the Court of Justice of the EU (CJEU). The CJEU has made important decisions in the past that have had an effect on data protection; for example, it was a CJEU decision that essentially rendered the EU-US Safe Harbor program invalid. One question that remains unanswered is to what extent the UK will remain bound to the CJEU’s decisions, or whether and to what extent UK data protection authorities will look to CJEU decisions for guidance in that area.
- There are a few practical steps US-based companies can take in the lead-up to Brexit.
- First, it is important to assess how much personal data the company collects from UK data subjects and what mechanism the company is using to legalize these transfers to the US. The company will have to be prepared to update that legal mechanism as appropriate in order to conform to any new UK requirements relating to data transfers.
- The company also should assess whether its current primary (or only) EU establishment is in the UK (as this likely is the case for a fair number of US-based companies). It should determine the extent to which it has or can generate other establishments in the EU in order to have a “one stop shop” there. If it has no EU establishments, the company should develop a compliance plan to meet the requirements of, and work with the DPAs in, all of the EU jurisdictions in which it operates.
Who Should Attend:
- Data Protection Officers
- Privacy and Security Professionals
- Data Management Officers
- Chief Privacy Officers
- Chief Information Officers
- Risk and Compliance Managers
- Chief Information Security Officers
- Chief Risk Officers
Courtney Bowman is an associate in the Litigation Department and a member of Proskauer’s Privacy & Cybersecurity practice group. She assists clients in a wide variety of industries with issues related to privacy, data security, and general commercial litigation. Courtney has helped clients develop and implement global privacy programs, has assisted clients in legalizing cross-border data transfers, and regularly counsels clients on compliance with EU data protection laws and regulations. She is a regular contributor to Proskauer’s Privacy Law Blog and frequently speaks to the media on issues relating to international privacy and data security. She also has authored articles on data security and e-commerce issues in the Middle East, and on compliance with privacy laws in that region. She is accredited by the International Association of Privacy Professionals ("IAPP") as a certified information privacy professional (CIPP) in both the U.S. private sector (CIPP/US) and Europe (CIPP/E). In addition, Courtney has an active pro bono practice that focuses on Iraqi and Afghan refugee assistance, and is a supervising attorney for the Iraqi Refugee Assistance Project (IRAP). She has worked with Kids in Need of Defense to represent a child asylum applicant. In 2015, Courtney received Proskauer’s Golden Gavel Award in recognition of her pro bono work on behalf of Iraqi refugees.
Courtney Bowman is an associate in the Litigation Department and a member of Proskauer’s Privacy & Cybersecurity practice group. She …
Tim Hickman is an associate in the London office of White & Case LLP. He advises on all aspects of UK and EU privacy and data protection law, from general compliance issues (such as implementing privacy policies and consent forms) to more specialized issues (such as managing data breaches, structuring cross-border data transfers, and complying with the 'right to be forgotten'). Tim has a detailed knowledge of the EU's General Data Protection Regulation, and co-authored White & Case's Handbook on that legislation (http://whitecase.com/eu-gdpr-handbook).
Tim Hickman is an associate in the London office of White & Case LLP. He advises on all aspects of …
Print and review course materials
Method of Presentation:
Experience in data security and privacy law
NASBA Field of Study:
Information Technology - Technical
NY Category of CLE Credit:
Unlock All The Knowledge and Credit You Need
Leading Provider of Online Continuing Education
It's As Easy as 1, 2, 3
Get Your 1-Year All Access Pass For Only $199
Proskauer is a global law firm recognized for its excellence both in practicing law and serving clients. We are trusted advisors to many of the world’s top companies, financial institutions, investment funds, not-for-profit institutions, governmental entities and other organizations across industries and borders. With 700+ lawyers in 13 offices and approximately 50 areas of practice, we have the capabilities, experience and creativity to guide our clients through their most important legal and business challenges.
About White & Case
White & Case, a truly global law firm, has one of the largest and most experienced data privacy and cyber security groups in the world. Our team guides clients through the relevant data protection legislation in the jurisdictions in which they are active. We work seamlessly with our counterparts in other practices to provide integrated, creative and practical advice on the privacy-related concerns faced by our clients, wherever they are located.