There’s a hoary old saying that you learn in law school: “the law is a seamless web”. What’s meant by this is that, although you study law as a series of discrete, siloed topics, it’s all really one big thing, and all interrelated.
Brexit and IG in the Headlines
Great Britain’s decision to depart from the EU is illustrative of this. At first glance, it wouldn’t seem to have a whole lot to do with information governance, but even a cursory closer look reveals that quite the opposite is true. Just consider a few of the front-page topics that are of concern, without even getting into technical details:
- The EU is a free travel zone where EU citizens can live in any country that they choose, much like the US. When Great Britain leaves the EU, that will no longer be true in Britain for the many non-British EU citizens who not reside there. Presumably, all of those folks will need to apply for residency cards and work permits and all the other things you want to do when you go to a different country and want to live there and work there. And of course, the many millions of British expats who now live in other EU countries will be faced with the same sort of thing. Assuming that all of these people manage to get their residency permits and work permits – and maybe some won’t, which is another post – employers will be faced with managing these new records that previously they did not have, as well as dealing with whatever paperwork was necessary to facilitate assisting their employees in obtaining these newly required permissions, and undergoing employment audits and all of the rest of the burden that comes with having foreign employees.
- In like manner, businesses have been relatively free to locate where they choose within the EU. Again, no more. But, a great many businesses from other EU countries already have very significant operations in Great Britain, and likewise, many British companies have very significant operations in other EU countries. The legal status of those operations must now be sorted out, at what will no doubt be great expense, and generating a great many records as part of the process. And of course, on an ongoing basis, there will now be registration requirements and reporting requirements and all of the other things that come with conducting an ongoing business any foreign jurisdiction.
- Travel between Great Britain and the EU will become more complex as well. Great Britain is currently part of the Schengen Area, within which travel is passport- and visa- free. Once again, no more. Travelers between Great Britain and EU countries will have to go through passport control and get a visa stamp and all the rest of it, and all of that will generate lots of new records for someone.
Beyond the Headlines
The above was merely the headline-grabbing set of issues. On a technical level, things are complicated in many other areas as well. Consider:
Privacy – Privacy law in the EU originates as EU directives that are ultimately translated international law. Even assuming – and it may or may not be a good assumption – that Great Britain maintains its current privacy regime on the books, it will not, in the future, be subject to future directives emanating from the EU, and so inevitably, privacy law in Great Britain will diverge from that in the EU.
The issues arising from this could be quite considerable. Consider that, under the newly promulgated Data Privacy Framework, a country cannot be deemed to have privacy protections in place that are comparable to those of the EU, unless it is specifically listed as such by the EU, and data transfers elsewhere are prohibited. Until now, companies in Great Britain did not have to worry about this because Great Britain was part of the EU. But soon, it won’t be. And unless and until the EU elects to put Great Britain on the list of accepted countries, personal data transfers to Great Britain will be prohibited. Anyone who works for a multinational and has to deal with the current version of that problem respecting the United States versus EU will appreciate the colossal problem that could be. And likewise, if substantive British privacy law begins to vary significantly from EU law, as almost certainly it will over time, there’ll be yet one more variation of everything that somehow has to be folded into policies and procedures, technology applications and everything else that inevitably gets dragged into these things. And again, anyone who has had to deal with this appreciates how very complicated and challenging it can get. Companies now based in the UK that have never had to deal with the US/EU privacy challenge will be in for a rude shock as they discover how very difficult it is to manage that set of compliance issues.
Workplace Health and Safety – once again, this is an area where much of the regulation originates at the EU level, and then works its way down into national regulation through statutes and regulatory enactments. No longer a member of the EU, Great Britain will no longer be bound by these, and whether or not current regulation of EU origin remains in effect, Great Britain will not be bound by future EU directives, so inevitably, its regulatory course will diverge from that of the EU. And of course, any associated records and information governance requirements likewise diverge.
Customs, Accounting and Tax – is a member of the EU, Great Britain is part of a common customs union with the other EU countries. That means free movement of goods, and no customs paperwork between those countries. And as a member of the EU, Britain also shares other common requirements and characteristics in its management of tax and accounting, including such things as VAT tax that are the subject of a common tax code, and which are calculated and collected as part of a common collections scheme. When Britain exits the EU, all of these arrangements no longer apply. So, not only will Great Britain have to negotiate trade agreements with the EU, but as a foreign jurisdiction, all sorts of tax and accounting issues that currently do not affect it is against the EU will suddenly come and play. So too will similar arrangements with other countries that are predicated upon EU membership. So not only does all of this affect Great Britain but it affects other countries, and businesses within those countries as well, because Great Britain must now be treated as an entity separate from the EU for many purposes for which it is now effectively part of that greater entity. It could well be that managing the split would require the breakup of some large entities, with the many information management and governance issues posed by that.
The above are only a sampling of the many technical issues that are still to be sorted out. There are many, many other technical legal issues, a great many of which are directly relevant to information governance, and to businesses with a presence in Great Britain and other EU countries, and which will affect the ways those companies do business and manage records.
The Uncertain Future Course
And worse, all of the above is fraught with a great deal of uncertainty. Since this has never been done before, there isn’t a framework or roadmap to go by, so no one really has any idea of what the outcomes are likely to be – or how to get there. The only authority is a single high-level treaty that leaves all of these many technical details to negotiations. So now we enter into a long period where businesses and individuals do not have clear guidance as to how to proceed. And, this period could go on for quite a while – Britain is already stalling for a bit, waiting for a new government to come to power, which will take at least several months, and the negotiations themselves cannot start until Britain begins the formal secession process, which they appear in no hurry to do. Even once the negotiations start, they are likely to go on for months or years, just to get a first-generation solution up and running, You can bet it will need modifying, so there’ll be a second period of uncertainty while the new regulatory regimes are being vetted and corrected, issues litigated and resolved and new precedents developed; and all of that will certainly take years more.
And it could get even more complicated. Other countries are making noises about leaving the EU as well. Scotland and Northern Ireland – and even the city of London – have made it clear that they would very much prefer to remain part of the EU. So, London is seeking greater autonomy, which may result in different regulatory regimes more in harmony with the EU, while Scotland is rumbling outright about secession from Great Britain and rejoining the EU, and Northern Ireland is rumbling about leaving Great Britain and joining the Irish Republic, and with it the EU. And of course, there’s the secession movement in Catalonia, that I’ve not even mentioned.
Everything I’ve just discussed is revisited again in some way or another for each of these scenarios, should they come to pass. Businesses could be in for a very complicated next few years indeed. Hold on to your hats.