Public affairs summer update â EU referendum, Theresa May and EU-US Privacy Shield

The full report is available here.

New Government

Theresa May is the new Prime Minister of the United Kingdom after a bumpy selection process that saw Boris Johnson pull out after being betrayed by Michael Gove.

She has announced her new cabinet and the new Ministers relevant for the DMA Group are; Secretary of State for DCMS, Karen Bradley, Minister for Digital and Culture, Matt Hancock and Secretary of State for Education, Justine Greening.

Matt Hancock’s portfolio includes data protection policy and so he will be the main Government Minister that the DMA will work with over this Parliament. He has background with the DMA, his family business is a member, which he use to work for. The company is called Border Business Systems.

EU Referendum

The referendum result has created uncertainty for data-driven marketing. The industry has gone from having a clear idea of what it needed to do to be compliant to not knowing what the future of UK data protection law looks like.

The problem is that marketers do not know what the future relationship between the UK and the EU will be and so what data protection legislation we enact is not known.

However, Theresa May has said that at the earliest she would activate article 50 of the Lisbon Treaty next year in 2017. Once that article is activated negotiations will take 2 years to complete. This means that UK companies will have at least 6-12 months of compliance with the GDPR while the UK is still a member of the EU.

When the UK leaves the EU any organisation processing EU citizens’ personal data will need to be General Data Protection Regulation (GDPR) compliant. The rules apply to any company processing EU citizens’ data.

When the UK Government begins negotiating after activating article 50 data protection policy will be on the agenda. It is paramount to the EU and UK to maintain the free trade in data between the EU and UK. In order for this to happen the UK will need to offer safeguards to personal data. The UK will likely need a data protection regime offering “essentially equivalent” protections to the GDPR.

Whichever way you look at it future UK data protection policy is going very similar to the GDPR and so it makes sense for UK organisations to press on with their plans to become compliant with the GDPR.

EU-US Privacy Shield

On 12 July 2016 the EU Commission deemed the EU-US Privacy Shield adequate to enable trans-Atlantic data transfers, which are essential for commerce between the EU and US. The new deal poses stronger obligations on US companies to uphold EU data protection standards.

The reason Safe Harbour was struck down by the European Court of Justice (ECJ) was that it did not give EU citizens adequate protection. The mass and indiscriminate surveillance by the US authorities was not compatible with EU data protection standards.

Privacy Shield addresses these concerns. Firstly, there will be several redress possibilities, an EU citizen can complain directly to a US company and they must respond within 45 days or with their national data protection authority who will work the US Department of Commerce to ensure a swift resolution to unresolved complaints. Secondly, the US has ruled out indiscriminate mass surveillance of personal data transferred under the Privacy Shield programme.

Furthermore, there will be annual joint review mechanism to ensure that the standards of Privacy Shield are being upheld by participants. The EU and US authorities would be able to remove organisations from the agreement, if they had failed to abide by it. Privacy Shield itself could even be suspended, if necessary.

The EU-US Privacy Shield will almost certainly be challenged in courts, whether that is by Max Schrems or another privacy advocate is not known but the EU Commission must be confident that the new agreement would survive that test. If the EU-US Privacy Shield fails there is no plan B for trans-Atlantic data flows.

You full report is available here.

Sign up to the DMA Data Protection 2016 Update to learn more about the future of UK data protection policy.