Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Digital Media, Technology & Privacy Alert >> Brexit May Complicate Privacy Issues for Ad Tech Companies

June 30, 2016

While Britain’s vote to leave the European Union (EU) shocked the world and rocked financial markets, the move has yet another set of possible repercussions in its potential to increase the complexity of the international rules governing privacy and international data transfer. As a result, the “Brexit” may change the strategy for U.S. ad tech companies seeking to enter the European market.

Before June’s Brexit vote, the EU had finalized a General Data Protection Regulation (GDPR) that is scheduled to take effect in May 2018. The GDPR will require significant compliance efforts by marketers, such as enhanced data subject consent standards, data protection officer requirements, data portability requirements and an expanded reach; however, prior to Brexit this was the only system applicable to all EU countries. Now with Brexit, that may no longer be the case.

The day after the Brexit referendum, a spokesperson for the United Kingdom’s privacy regulator, the Information Commissioner’s Office (ICO), issued a statement acknowledging that the GDPR “remains the law of the land irrespective of the referendum result.” Moreover, the spokesperson observed, if the United Kingdom is not part of the EU, then upcoming EU reforms to the data protection law would not directly apply to the United Kingdom. However, the ICO statement noted, if the United Kingdom wants to trade with the EU on equal terms, it will have to prove “adequacy” – that is, that its data protection standards are equivalent to the GDPR’s framework starting in 2018. However, due to the lengthy exit process that has not even begun, any final Brexit would likely occur after implementation of the GDPR.

Of course, “equivalent” does not mean “the same,” and businesses and services operating in the United Kingdom and the EU would have to comply with both sets of standards.

As the ICO noted, having “clear laws” with safeguards is more important than ever, given the growing digital economy. How that view will affect the framework to be adopted by Britain (assuming that it does indeed exit from the EU) remains to be seen.

The Privacy Shield
Following Brexit, there also is a question as to the effectiveness of the Privacy Shield, which recently was adopted by the United States and the EU after the EU’s Court of Justice rejected the U.S.-EU Safe Harbor Framework relied on by thousands of U.S. companies that transfer personal data to the United States from the EU.

It is not clear if a post-Brexit United Kingdom will adopt the Privacy Shield or something similar. As with the GDPR, if the United Kingdom modifies the Privacy Shield, it would require marketers to meet two sets of standards – undoubtedly similar, but also not the same.

In addition, if the United Kingdom does modify the Privacy Shield, then it could face the same challenge that led to the Safe Harbor being struck down. If that were to happen, there would be a period during which data transfers from the United Kingdom to the United States could be in jeopardy.

A Stepping Stone to the EU
To date, many U.S. ad tech companies interested in operating in the EU would first consider doing business in the United Kingdom before moving over to other EU countries. With a language and customs similar to those of the United States, but with an EU-compliant regulatory scheme, the United Kingdom offered a convenient place for U.S. companies to dip their toes into EU waters.

Going to the United Kingdom now, however, may no longer be the best entrée into Europe. Given Brexit, the conditions that the EU will require for the United Kingdom to participate in the Common Market, and the differences that may – or will – develop in the regulatory systems, are still unknown at this point.

The Bottom Line

In the short term, there may not be many (or any) changes to privacy and data practices in the United Kingdom following Brexit. However, as the process proceeds and the EU further develops and implements new standards, it is possible that a divide will develop and expand between regulatory schemes in the United Kingdom and the rest of the EU. Companies operating in European jurisdictions should continue to monitor developments and be prepared for a more complicated privacy and data security compliance landscape to develop in Europe.