The world was stunned last week when citizens of the United Kingdom (UK) voted to leave the European Union (EU). It didn’t take long for people to start asking me what this means for international data transfers with the UK and out of the UK as well as what the impact will be for background screening providers and employers who are engaged in global background screening.
I think it’s probably a little early to say exactly what will come of this. There are many articles talking about the potential negative effects on US and global business, and also some articles talking about the positive.
Here is what I can tell you:
- In May 2018, the EU will switch to a new data privacy regime called the GDPR (General Data Protection Regulation – http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679).
- The timeframe for UK to exit the EU will not start until after the notification is made to leave. This is not thought to happen until after a new Prime Minister is elected, which is slated to be done by October 2016. This will start the negotiation of the departure, which can take up to two years or more. This puts the exit at October 2018 or later.
- If the above timeline holds, the UK will be subject to the new GDPR on May 2018 until their exit from the EU sometime after October 2018. That’s about four or five months under the GDPR, at least.
- In the meantime, the UK is subject to the UK Data Protection Act.
- The GDPR has a longer reach than the current EU Directive for data processing (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data). The GDPR will apply to an organization that has an establishment in the EU. The term “establishment” is very broad and can include companies that are not located in the EU in any way but are offering goods or services to EU subjects. The GDPR, unlike the EU Directive, also applies to Processors and not just Controllers. The odds are that many UK companies will be subject to the GDPR no matter what.
Once the UK exits the EU, UK-based organizations will need to find a way to legally transfer data from the EU to the UK. The exact method of this legal transfer will not be known until the relationship between the EU and the UK is clarified. The UK could join part of the European Economic Area (EEA), like Norway. Or it could work out a special deal with the EU for data transfer. Or it could try to be declared “Adequate” for data transfers, like Canada and a handful of other countries. Maybe a form of Privacy Shield will be created for UK companies?
Companies outside of the EU, such as American (and even those in countries considered Adequate by the EU) companies, will need to find a new way to transfer data to and from the UK. Remember, the UK will no longer fall into the EU bucket — it will have its own data transfer regulations. It will also lose the umbrella of Adequacy it had from the EU with other country’s privacy regimes. I think, given the desire of UK-based companies to trade with EU-based companies, the UK will probably adopt a data protection regime that has a chance of being considered “Adequate”. After all, they will have lived under the GDPR for a few months, at least.
On the plus side, the new Information Commissioner in the UK (called the Information Commissioner’s Office or ICO – https://ico.org.uk/) is Elizabeth Denham. She is the former head of Canada’s British Columbia Data Protection Authority. Ms. Denham is highly respected in the data protection community. Her time in BC gave her practice negotiating with the EU as a compliant non-EU member entity. She took some hard-line stands when in BC, and I expect her to do the same in the UK. (If you are not familiar with her former organization’s review on the use of Criminal Record Checks in the Public Sector, it’s worth a skim. https://www.oipc.bc.ca/investigation-reports/1247)
In the short term, remember, the UK is still in the EU. They are still covered by the EU Directive and will, for at least some period of time, be under the GDPR. The GDPR will cover processors in addition to controllers and will have reach beyond the EU. If you are a background screener or using background screening services in the UK, I would plan for that.
Many of the multi-national law firms have blogs and special web sites dedicated to Brexit. Here are some I have been following:
Bird & Bird: http://www.twobirds.com/en/hot-topics/brexit
DLA Piper: https://www.dlapiper.com/en/us/focus/brexit-legal-impact/overview/
| Kerstin Bagus – Director, Global Initiatives|
Kerstin Bagus supports ClearStar’s Global Screening Program as its Director of Global Initiatives. She has more than 30 years of background screening industry experience, working for a variety of firms, large and small. Kerstin is one of the few individuals in the industry who is privacy-certified through the International Association of Privacy Professionals (IAPP) for Canada, the EU, and the U.S.
Kerstin is a passionate participant in the Professional Background Screening Association (PBSA, formerly NAPBS) and is a current member of the Board, in addition to participating on several committees. She also participates on IFDAT’s Legal Committee, with a primary focus on global data privacy.
At ClearStar, we are committed to your success. An important part of your employment screening program involves compliance with various laws and regulations, which is why we are providing information regarding screening requirements in certain countries, region, etc. While we are happy to provide you with this information, it is your responsibility to comply with applicable laws and to understand how such information pertains to your employment screening program. The foregoing information is not offered as legal advice but is instead offered for informational purposes. ClearStar is not a law firm and does not offer legal advice and this communication does not form an attorney client relationship. The foregoing information is therefore not intended as a substitute for the legal advice of a lawyer knowledgeable of the user’s individual circumstances or to provide legal advice. ClearStar makes no assurances regarding the accuracy, completeness, or utility of the information contained in this publication. Legislative, regulatory and case law developments regularly impact on general research and this area is evolving rapidly. ClearStar expressly disclaim any warranties or responsibility or damages associated with or arising out of the information provided herein.