Cybersecurity and Data Protection
- Data Mapping: The uncertainty arising from Brexit will make it particularly important for companies to map and understand their data flows and where their data resides sooner rather than later. This includes the flow of data into the U.K. and from the U.K. to EU member states and other countries, both internally and with third-party vendors. Not only will this enable companies to comply with law, but it will enable them to evaluate the impact of legal developments as they take shape and consider making changes.
- Data Processing: Depending on whether the U.K. will be designated a country offering adequate protection by the European Commission, U.K. companies will need to think about their data protection compliance strategy when handling data processing outside the EU.
- GDPR: The new U.K. government, in conjunction with the EU, will determine the future applicability of the new General Data Protection Regulation (GDPR) within the U.K. Given that the GDPR is due to come into force in May 2018, and Brexit may take up to two years after formal notice has been given, the U.K. may proceed for some period of time with a fully implemented GDPR. The long-term applicability of the GDPR will have a direct impact on entities that operate in the United States and U.K. and collect data from any EU residents—including but not limited to the current U.K. Data Protection Act’s annual registration requirements—and the enforceability of existing binding corporate rules, codes of conduct and recordkeeping practices. The GDPR also creates new restrictions on processing certain “special categories” of personal data (Art. 9) and has extremely high maximum penalties, up to €20 million or 4 percent of total worldwide annual turnover (Art. 83). To the extent that the GDPR is intended to foster greater consistency in the application of privacy law, the constructive influence of the U.K. may not be felt.
- Privacy Shield: The Privacy Shield has been formally adopted, and as the U.K. remains a part of the EU, Brexit should therefore not interfere with its U.K. applicability in the short run. Down the road, the threats to the applicability of Privacy Shield not only are the same as before (e.g., the possibility of an adverse court decision, which was the undoing of Safe Harbor), but they also may include the possibility of the GDPR no longer applying to the U.K., resulting in a Privacy Shield mismatched to U.K. law. The latter scenario could potentially require negotiation of a new deal between the United States and the U.K., and a separate arrangement between the EU and U.K. to show the “essential equivalence” of data protection.
- Cyber Directive (the Network & Information Security (NIS) Directive): The timing of the U.K.’s exit from the EU would have a direct impact on the implementation of the proposed Cyber Directive. If the U.K. is no longer part of the EU, it would not be obliged to implement its legislation. Other factors (such as trade agreements or business requirements) may, however, lead to implementation of a national U.K. law that is similar to the Cyber Directive.
If you have any questions regarding this content, please contact the Akin Gump lawyer with whom you usually work or
*Licensed to practice for 15 years in New York and under the supervision of the partners of Akin Gump Strauss Hauer & Feld LLP. Application for admission to the California Bar pending.