Information Matters: does Brexit create data regulation risks or opportunities for the UK and European companies?

One of the critical issues is whether the UK will become less heavily regulated in data trading and transfer terms after Brexit, to provide a differentiated environment from the EEA – perhaps making digital trade easier with the United States. Do we expect IP, digital and data regulation in the UK to track former EU partners or develop differently over time?

Most of the noise around the General Data Protection Regulation (GDPR), for example, has concerned the UK coming into line with the EU regardless of Brexit – and for sound reasons, to ensure the adequacy of the UK as a venue for the flow of personal data from the EU.

However, it is still too early to anticipate how Brexit negotiations will go, and the Department for Culture, Media and Sport has given some indication that GDPR will be up for review once it is on the books – to see if there are ways it could be altered to favour UK business. This, after all, seems consistent with a populist Eurosceptic view about liberating the economy from "Brussels red tape" (of which data protection might be perceived in some quarters as an example par excellence).

Data regulation – what is it, and where do risks or opportunities lie?

Data regulation is not just data protection, although this is a central issue.  Data protection is the set of rules dealing with personal data – where the EU has one of the most stringent regimes in the world. It seeks to export that stringency via all means at its disposal: adequacy decisions (about which countries are "safe" to export personal data to), model clauses in contracts, setting up a "safe harbour" scheme with the US and then a CJEU ruling to knock it down again (the same fate may yet befall the Privacy Shield).

However, the EU adopts a similar approach in other areas, as we will see: so departing from the EU does not necessarily mean escaping its embrace – or its clutches – depending on one's political viewpoint.

Data regulation in its broadest sense embraces:

• Data protection
• E-privacy
• Cybersecurity
• Trade secrets
• Intellectual property
• Open data

Some of these regimes are already underpinned by international convention.  As we contemplate the possible end of the current wave of globalisation we should recall that it isn't the first.  Historians can debate how many we have had before, but current intellectual property laws bear the marks of the great wave of global integration which was extinguished by the First World War. Indeed, the founding international conventions on copyright date back to this time.

Data protection and e-privacy

As discussed, this only concerns personal data (and has been covered widely in previous Information Matters articles, including as recently as the last edition)

In brief however, GDPR overhauls all forms of EU data protection law deriving friom the 1995 Directive (including our own Data Protection Act 1998). In international data transfer terms, GDPR not only replicates the existing requirement for the third country to have adequate level of protection, but increases burden on companies outside EU who are subject to GDPR when targeting consumers in EU.  UK businesses operating with the EU or trading with the EU, employing EU staff or handling EU personal data will be subject to GDPR, whether the UK adopts GDPR or not.

For this reason, our Data Protection Minister Matt Hancock MP has confirmed that the UK will implement GDPR in order to ensure free flows of data to underpin free trade.  How, in practice?  Most likely this will be via the so-called Great Repeal Bill (in fact a method to preserve EU legislation on the grandest scale). Even if certain underpinning legislation is still required, and regardless of government's future intentions, GDPR has to come into force in Member States on 25 May 2018 – almost certainly before the UK actually exits

Surveys however suggest that readiness is still low.

What are the benefits, internationally speaking? Two obvious ones include:

• Harmonised system
• A "one stop shop" (the ability to deal with a single supervisory authority in EU – though this is one area in particular where it is hard to guess at how GDPR and the central EU authority will "bite" once Britain leaves the EU).

For business to continue much as before, post-Brexit UK will have to ensure that its regime is deemed 'adequate'. If yes, UK becomes like Switzerland, Norway, Canada, New Zealand – "favoured nations" considered safe harbours for EU citizens' personal information, without additional protections being required.

If not, the UK will most likely need to sign a supranational agreement akin to the EU US privacy shield. So how might the UK be deemed less than adequate even if it does adopt the full GDPR?

There are various possibilities once we are outside the CJEU's jurisdiction:

• The UK's own surveillance legislation has been subject to the EU Advocate General's scrutiny and he suggested that UK data retention was not necessarily objectively justifiable – note the Data Retention and Investigatory Powers Act 2014 (found unlawful by the CJEU) and the more recently rushed-through Investigatory Powers Bill, which some observers feel will be at odds with the forthcoming e-Prvacy Regulation, due for adoption on the same date as GDPR. 
• Max Schrems, the campaigner whose case against Facebook led to the EU US safe harbour being held to be invalid, has declared an interest – notably because his famous case turned in considerable part on the ability of the NSA in the United States to peer behind the curtain of personal privacy, whatever assurances were made contractually.  So the UK's quest for adequacy may run into headwinds due to its surveillance legislation, unless it waters down the latter.
• Will the UK allow EU citizens the same rights protections as they would enjoy in their home nation? This seems likely – even the US did, via the Judicial Redress Act which allows foreign citizens in EU to sue US for unlawful disclosure of personal data (and paved the way for Privacy Shield to be adopted).
• Might the UK freedom's to adopt laxer penalties – negotiated by government as a sop to UK business, and trumpeted as such by the Data Protection Minister – put its status in jeopardy, by offering inadequate remedy?
• Likewise the UK's freedom to adopt regulations and codes of practice might put it at odds with the direction of travel in Europe, but only if the Information Commissioner herself changes tack: currently the ICO is adopting a hard, privacy hawkish line.

Of course, the last two are also opportunities.  Freed from EU law precedents, the ICO might adopt a less stringent penalties regime and "business-friendly" tweaks could be made in codes of practice and secondary legislation. But this is a fine balancing act, since obstacles in trading with the EU are hardly business-friendly (reflecting the wider Brexit debate, perhaps).

There are some areas where Member States are given freedom of action which should not impact on adequacy, given that GDPR allows for a "margin of appreciation" in interpretation:

• National security (subject to the above)
• Journalism
• Freedom of speech
• Employment laws
• Professional secrecy
• Interception of communications powers

Commercial opportunities deriving from alignment with GDPR – i.e. the UK leads the world in pioneering new forms of engagement with consumers … OR from divergence from GDPR, i.e. a more liberal regime for business but risk of non-adequacy.

Note: draft e-privacy Regulation: also planned to be in force 25 May 2018 – requires consent for e-marketing and cookies, as well as adopting the higher GDPR consent standard.

Other EU developments

1. Cyber security

Not all data is personal data, including in the world of cyber security (though data breaches involving personal data are subject to the highest tier of fines in the GDPR).

The Network and Information Security (NIS) Directive entered into force on August 8^th 2016.  Implementation by March 2018. It is the "first comprehensive piece of EU legislation on cybersecurity" designed to improve cybersecurity capabilities at the national level, increase EU cooperation, and establish risk management and incident reporting obligations for operators of essential services and digital service providers

UK has to implement the Directive, or risk infraction proceedings.

There is also the common European cybersecurity standard, which (1) introduces mandatory incident reporting requirements, (2) guarantees an appropriate level of security capabilities, and (3) builds a network of competent authorities to exchange information for incident response and early warning purpose.

2.    Intellectual property

The future of EU jurisprudence and statute in terms of IP, from trade marks to trade secrets, remains a vexed question. In relation to data, however, this area is primarily concerned with copyright and databases.

The EU adopts a comparative approach to laws in other global countries eg term of copyright, database protection. Many observers feel that UK law is as harmonised as it could practically be.

In terms of current changes, looming largest is the Digital Single Market (by regulation and directive). Its stated aim is to:

• extend the text and data mining exception (already introduced into UK law somewhat ahead of the curve in 2014, but for non-commercial research);
• increase the availability of works for people across Europe, provide new distribution channels for creators and bring the EU's cultural heritage to the forefront – mainly relevant to TV and radio; and
• create a fairer market place for online content especially for press publications, online platforms and remuneration of authors and performers, especially by:
  • creating a "neighbouring" 20 year right for press publishers to control digital use of their publications – targeted at search engines in particular; and
  • requiring ISPs "that store and provide to the public access to large amounts of works … uploaded by their users" to respect agreements with rightsholders governing use of their works – in effect, YouTube and Facebook (eg) might need to proactively check for copyright material, rather than waiting to receive a take-down request from a rights holder.

What are the opportunities here, post-Brexit?  Simply, to create an environment in which people want to invest. That means improving protection but also facilitating use of IP. Considerations for innovation and differentiation include:

• Facilitating proof of title … a copyright registry, similar to that in the US?
• Industry agreements – eg government-brokered negotiations between the entertainment industry and Google / Microsoft's Bing, who have signed up to a voluntary code of practice and will ensure offending websites are demoted in their search results;
• Substantive protection for the database right (currently a weak IP right) – although if successful, how long would it take EU to match this?
• Not adopting the EU "publisher right"?
• Allowing for limited private copying without any 'fair compensation'? It was the "fair compensation" principle of EU law that led to the successful judicial review of the Government's 2014 e-copying exception ("personal copies for private use") – just as it led to the decision in Vidal-Hall v Google allowing for damages for distress for breaches of personal data. Could both now be reviewed?

For all the debate about differentiation versus harmonisation, and loss of influence over EU legislation, all this raises a bigger question – is the UK a big enough market for any of this to be worthwhile?

If you require further information on anything covered in this briefing please contact Peter Wienand([email protected]; 020 3375 7355) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Information Matters page on our website.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, March 2017