The June 23, 2016 Brexit referendum outcome in the U.K. does create uncertainty about whether the U.K. will continue to follow EU data protection laws, including implementation of the E.U.'s new General Data Protection Regulation (“GDPR”), scheduled to become effective on May 25, 2018. Furthermore, the recently negotiated new U.S./E.U. Privacy Shield, intended to replace the E.U.-invalidated Safe Harbor, faces an uncertain future in the U.K. as well if it is not an available framework for multinational businesses to do business in the U.K. For example, Microsoft stated in an open letter in May, 2016 to its 5000 U.K. employees before the Brexit vote that the U.K.'s EU membership was one of the factors that attracted Microsoft to make investments in the U.K., including in a new data center. One important future signal will be whether the U.K. opts to join the European Economic Area, or otherwise maintains significant trade with the EU, in which case the U.K. would necessarily need to comply with EU privacy regulations. If not, the U.K. would still need to develop its own data protection network. However, because at least two years must elapse before the U.K. can formally exit the EU under Article 50 of the Treaty of Lisbon, and even that two year period does not commence until formal notice is given, both the GDPR (in May 2018) and the Privacy Shield are likely to be in place in the U.K. before any actual exit from the EU occurs. And many observers believe that any law that Britain adopts will likely be similar to the GDPR, since a non-member country's data protection regime must be deemed “adequate” by the EU for businesses in that non-member country to exchange data and to do business within the EU. In short, nothing is going to change immediately, and because Brexit won’t likely be completed for years, the Privacy Shield could well be implemented in the U.K. for personal data transfers from the U.K. to the U.S. well before actual withdrawal is completed. It also may take years to negotiate and complete agreements, and enactment of alternative U.K. data privacy laws.
See our previous post regarding the text of the U.S./EU Privacy Shield...