A No-Deal Brexit Could Compound Regulatory Pressure for Multinational Companies
If the U.K. leaves the European Union without a deal, companies may have to face another regulator and find a new representative for GDPR investigations.
September 13, 2019 at 10:30 AM
4 minute read
For the past few months, the U.K. has been locked in a bitter stalemate over its departure from the EU. And if England, Scotland, Wales and Northern Ireland leave the EU without a deal, companies could be faced with an extra regulator when handling continental Europeans' data. Plus, any company that currently calls a U.K.-based agency a lead supervisory authority or Article 27 representative will have to find an EU replacement.
As a member of the EU, the U.K. has been part of the General Data Protection Regulation (GDPR)'s "one-shop-stop" mechanism that allowed one data protection authority to be the lead authority investigating and ruling on local GDPR violations. After the U.K. leaves the European Union, that will no longer be the case.
"'The consequences of a no-deal Brexit is that the ICO [Information Commissioner's Office] will no longer be a part of the one-stop shop," said Gibson, Dunn & Crutcher privacy, cybersecurity and consumer protection practice group co-chair and partner Ahmed Baladi.
Still, Baladi said data protection will still be enforced rigidly in the U.K. after Brexit and the ICO has already confirmed it will amend the country's Data Protection Act post-Brexit.
"The fact that the U.K. is no longer part of the EU doesn't mean data flow is more flexible in the U.K.," he explained. "The U.K. has already adapted the Data Protection Act to implement the GDPR [and companies] will still have to comply with the its provisions. In terms of obligations, it's almost the same."
Meaning, if a data privacy violation occurs in the U.K and continental Europe, the entity "could face two sanctions, one from the U.K. and EU," Baladi said. "There is no mechanism ensuring consistency between the U.K. [enforcement] approach and the continental European approach."
But if the UK keeps the EU fine regimen, Andrew Dyson, DLA Piper's global privacy group co-chair said noted that a company could potentially face GDPR's significant maximum fine twice. "You could potentially be exposed to a 4% global company revenue fine in the U.K. and [whichever] other EU country is the lead."
Currently, some lawyers note that the EU and the U.K. are projecting a unified approach to data privacy, especially after the ICO announced a $230 million proposed fine against British Airways and a $124 million fine against Marriott over GDPR violations. But there's a question of if that unity will hold after Brexit.
"It's likely the U.K. will go one way and Europe will go the other way," Dyson said.
To be sure, Dyson noted that former Prime Minister Theresa May's withdrawal agreement included keeping the U.K. in the one-stop-shop during the transition period before officially leaving the EU. However, her withdrawal agreement has been rejected by the UK parliament on multiple occasions.
In addition to more potential regulatory oversight, a no-deal Brexit may also likely require companies with a U.K.-based lead supervisory authority for enforcing the GDPR to find an EU replacement. Likewise, companies with a U.K. Article 27 representative to act as their direct contact to authorities and customers for GDPR matters, will need a European representative after Brexit, lawyers said.
Dyson also noted along with establishing a different country as their lead authority and representative, the lack of an adequacy assessment from the EU makes some data transfers, risky. According to a released document, the U.K. government is also concerned about the lack of an adequacy assessment from the EU. In its document listing "worst case planning assumptions" of a no-deal Brexit, the U.K. government noted a disruption to "the flow of personal data from the EU where an alternative legal basis for transfer is not in place."
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Elon Musk Names Microsoft, Calif. AG to Amended OpenAI Suit
- 2Trump’s Plan to Purge Democracy
- 3Baltimore City Govt., After Winning Opioid Jury Trial, Preparing to Demand an Additional $11B for Abatement Costs
- 4X Joins Legal Attack on California's New Deepfakes Law
- 5Monsanto Wins Latest Philadelphia Roundup Trial
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
