The implementation of EU data protection and compliance is complicated by Brexit, says BBT columnist Amon Cohen
On holiday in Crete this summer we shared a table in a busy taverna with a couple from the Netherlands – the lovely Patrice and Karin, from Gouda. At the end of the meal I assumed we would, well, go Dutch on the bill, but Patrice absolutely insisted on paying. “You need to hold on to the money you have,” he said with utter seriousness. “You are going to be very poor after Brexit.”
Patrice’s gesture did not surprise me. I communicate with EU-based business travel people practically every day and I find our Dutch friends above all others consider us completely bonkers for voting to leave. They cannot comprehend why any nation would choose to economically self-harm. They conclude we will change our minds once we appreciate the damage we will cause ourselves.
While I wouldn’t bet my mortgage on this prediction, the enormity of unstitching 45 years of regulation and institution-sharing does finally seem to be dawning on more Brits. And can we truly Brexit anyway? That line from the song Hotel California, “You can check out any time you like but you can never leave”, is increasingly being invoked.
Data protection regulations
The EU’s General Data Protection Regulation (GDPR), cover star of the previous issue of BBT, is just one example of Don Henley and Glenn Frey’s prescient words. Travel managers who haven’t prepared for General Data Protection Regulation: a new and more stringent EU regime for data protection which will apply in the UK from May 25, 2018, effective May 2018, must act now. In a nutshell, it places far more onus than preceding legislation on businesses to ensure protection of personal data, not only about customers but also employees. Compliance will be policed more. Non-compliance will be punished more (up to four per cent of turnover).
For corporate travel, much of the burden for ensuring compliance will fall on your travel management company, generally considered the all-important data ‘controller’. But some lawyers say it will also be a case of, to quote the Roman poet Juvenal, “Who guards the guards?” In other words, clients that don’t verify due care by their TMC and other service providers could be found liable themselves.
If you are a UK-based travel manager who thinks you can ignore all this once we leave the EU, think again. This is where the Hotel California principle applies. Our government wants, to quote a UK parliamentary sub-committee report published in July, “unhindered and uninterrupted flows of data between the UK and the EU post-Brexit, to facilitate trade and law enforcement cooperation”. Failure to provide it could “present a non-tariff barrier to trade, particularly in services”.
In other words, to carry on doing business with its members, the EU will require us to continue protecting data to at least the same standards. What will definitely change in future is that we will have no say in what those standards are. Instead of shaping rule-making, we will have to follow it no matter how good or bad.
That’s not all. Once we leave the EU in 2019, we become a “third country” in data privacy parlance. The parliamentary committee concludes that, as a third country, the UK will have to go through an adequacy test to prove it meets EU data standards. The committee says this will only be possible during any transition period for data protection our government can agree with Brussels. No transition period, no adequacy finding. No adequacy finding (which even a transition period cannot guarantee), no trade.
Don’t forget, this is one among countless issues the UK must resolve to avoid falling off a cliff in 2019 or 2022. All that expenditure of effort just to maintain the status quo and trade with (and travel to) our biggest partner. Still think Brexit’s a great idea?
Privacy shield review
Speaking of data regulation, watch out this month for the first annual review of Privacy Shield, the current agreement governing the transfer of personal data to the US in compliance with stricter EU standards.
Since the US is where much business travel data is stored, it’s a vital issue, and travel-related companies figure prominently among 2,100 US entities signed up to the scheme. Privacy Shield has critics on both sides of the Atlantic, so there is a real chance it could die.
If that happens, expect major problems for US-based travel service providers and their clients, especially as an alternative transfer mechanism, standard contractual clauses, is also under legal challenge.