On January 9^th, 2018, the EU Commission (EUC) issued a UK data protection Stakeholder Notice. The EUC Notice states that at this time there are “considerable uncertainties” regarding whether UK Data Protection Laws will be adequate after Brexit to permit international transfers of personal data from EU/EEA member countries to the UK. This is because after Brexit, the UK will not be a member of the EU and will constitute a “third country” under EU data protection laws.  EU law allows for the free flow of personal data between EU/EEA member countries without the need to use EU approved data transfer mechanisms.  However, it is illegal under EU law to transfer data regarding persons in the EU/EEA to non-EU/EEA member countries if the laws of the receiving country do not provide the same level of data protection as EU law. As a “third country” after Brexit, data transfers from EU/EEA countries to the UK will require the use of EU approved international data transfer mechanisms such as Model Contract Clauses or Binding Corporate Rules.

This EUC Notice is a prime example of why companies with operations, employees, customers, and/or prospective customers located in the UK or EU/EEA should understand their obligations under EU data protection laws.

First, Under EU data protection laws, international companies with EU/EEA operations, employees, customers and/or prospective customers are increasingly obligated under EU laws, and the new General Data Protection Regulation (GDPR) coming May 25, 2018 in particular, to make sure that the company’s operations do not violate EU data protection rights of persons located in the EU/EEA regardless of the person’s citizenship, including employees.

Second, EU member state data protection authorities expect international companies with operations, employees, customers, and/or prospective customers in the EU/EEA, to have a data protection compliance program which protects personal information about persons located in the EU/EEA, regardless of citizenship, from illegal data processing including transfer of personal data out of the EU/EEA to the UK, U.S. or other non-EU jurisdictions without EU adequate protections, such as Model Contract Clauses, Binding Corporate Rules, or the EU-U.S. Privacy Shield compliance certification. 

Third, now that companies are on official notice from the EU Commission that there are “considerable uncertainties” regarding whether UK Data Protection Laws will be adequate after Brexit to permit international data transfers from EU/EEA member countries to the UK, companies transferring personal data from the EU/EEA to the UK are potentially liable for the illegality of those data transfers.  Beginning May 25, 2018 under the new EU General Data Protection Regulation (GDPR) potential fines for violations are going up to 4% of gross global sales including all of a company’s subsidiaries.  Penalties can increase if a company fails to fully cooperate with a data protection investigation or submits inaccurate responses during an investigation.

 Finally, Companies with operations in the EU/EEA or the UK should at a minimum review their operations for the existence of international data transfer between EU/EEA countries and the UK and seek legal assistance to make sure adequate EU data transfer mechanisms are in place.

Key takeaways from this EU Commission Stakeholder Notice for companies with employees, customers, prospective customers and/or operations in the UK or other EU/EEA countries are:

• If you do not already have a compliance program covering EU data protection laws, consider adopting one if your company has any dealings with persons located in the EU, European Economic Area (EEA), or UK regardless of those persons’ citizenship.  Even a basic compliance program can help lower penalties in case of an investigation by an EU/EEA, U.S. and/or state data protection agency.
• Beginning on May 25, 2018, EU data protection fines will apply globally, impacting U.S. and non-U.S. subsidiaries of companies with employees, customers, prospective customers and/or operations in the UK or EU/EEA.  Fines can reach as high as 4% of a company’s gross global sales including all company subsidiaries.  Actions by company subsidiaries that could violate EU/EEA or UK data protection laws should be reviewed to make sure that the company is not involved in operations which violate EU/EEA or UK data protection laws, particularly cross-border transfers of personal data from the EU/EEA to the UK, U.S. or other non-EU jurisdictions.
• Treat any contact from EU/EEA, UK, or U.S. or state data protection agencies such as the Federal Trade Commission, Department of Commerce, Securities and Exchange Commission, National Labor Relations Board, etc., with caution and discuss appropriate responses with your lawyer.

Author Linda V. Priebe, JD, CIPP/E is a Certified Information Privacy Professional/Europe (CIPP/E) and US data privacy and security compliance and federal relations attorney. She is former Deputy General Counsel, Ethics Official, and digital and social media counsel at the White House Office of Drug Policy (ONDCP) 1999-2013. She also served as Ethics Advisor in the White House Office of the Counsel to the President. Linda was counsel for the government in a dozen cases before the United States Supreme Court.

At Culhane Meadows Linda helps global businesses including SaaS providers, telecommunications companies, digital advertisers, employers, internet retailers, software developers and technology startups avoid costly legal mistakes from falling out of compliance with the flood of new international laws governing data privacy and security. With her 14 years of federal service spanning 3 Presidential administrations Linda is also a highly skilled and effective advocate before government agencies and policy makers.

This Blog/Web Site is made available by Culhane Meadows, PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.