On 15 January 2019, the British Parliament rejected Prime Minister Theresa May’s Brexit deal. The vote produced a clear result: no deal. A no-deal Brexit means the UK would leave the European Union (EU) on 29 March 2019, and there would be no agreements in place about what their relationship would be like in the future. But what does the vote mean for data protection in European companies?
A clarification of several key issues helps companies outside the EU answer the difficult question of whether they have to comply with European data protection laws.
The current ePrivacy Directive regulating electronic communications that covers the rules on cookies and e-marketing will be replaced soon by the ePrivacy Regulation. The full name is: ‘Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC’ (‘Regulation on Privacy and Electronic Communications’). Its final content and the effective date is not known at this time, but a draft was published in early 2017, which is not expected to change substantially before it becomes applicable. Although the ePrivacy Regulation was supposed to be published together with the General Data Protection Regulation (GDPR), the final draft is expected in 2019.
In December 2015, after years of negotiations, the EU Parliament and the EU Council agreed on a European General Data Protection Regulation (GDPR). The aim is to level the protection of personal data throughout Europe. From a German perspective, the existing data protection laws will not change essentially in view of the GDPR. However, some companies in the rest of Europe will face quite some changes. One of these changes will be the mandatory appointment of Data Protection Officers throughout Europe.
How intensely are American authorities using their right to inspect personal data collected by companies? In the face of the recent devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, this question again arises. Indeed the Tribunal brought forward as an important argument the mass and uncontrollable surveillance activities of US-American authorities. According to the ECJ, this is not in compliance with the EU´s data protection regulations. As recent publications show, the Tribunal in its reasoning for the judgment was closer to reality than suspected.
On 2 June 2015, the US Senate passed the Freedom Act, new legislation which replaced parts of the expired Patriot Act. The revision of, inter alia, those parts which dealt with telecommunication data and its surveillance, turned out to be necessary in order to restore the trust of the US public in their authorities after the Snowden revelations. According to the Freedom Act, it is prohibited for American authorities (e. g. the NSA) to collect mass data of data subjects. Against the background of the recently devastating decision taken by the European Court of Justice (ECJ) concerning the data transfer to the US under Safe Harbor, companies may ask whether by means of the legal changes a data transfer to the US is now possible again.