Join our Waitlist for Expert Advice!

Brexit Is Complicating Digital Marketing and EU Data Privacy An already uncertain framework for protecting users was jolted by Brexit.

By Mike Canarelli Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

Shutterstock

The United Kingdom's decision to leave the European Union could have significant ramifications for domestic digital marketers doing business internationally. Every day, digital marketers in the U.S. come in contact with mountains of personal data. These can include customer email addresses, browsing habits, age, gender, geographic location and any other data Google, Facebook and other go-betweens allow U.S. marketers to collect.

Safe harbor.

Until late last year, U.S. marketing agencies were subject to the long-standing Safe Harbor agreement, which regulated the flow of personal data between the EU and the U.S.

Safe Harbor prohibited the transfer of data to a country outside the European Economic Area (EEA) unless that country had adequate data protection measures in place. American agencies receiving EU citizens' personal data could self-certify they complied with Safe Harbor. This basically attested their practices adhered to a range of European privacy standards. Although the agreement applied to any country outside the EEA, it primarily targeted the U.S. and American companies.

The Snowden effect.

Ever since former CIA employee Edward Snowden leaked classified information, the EU has been exceedingly sensitive about the transfer of EU citizens' personal data to the U.S. Truth be told, the EU long had regarded U.S. privacy laws as inadequate. The release of the Snowden documents only strengthened that position. In the wake of the leak, the European Court of Justice convened and re-examined the Safe Harbor agreement. The Court, which is tasked with ensuring EU law is applied equally across the EU, found U.S. compliance with Safe Harbor lacking. In October 2015, the Court invalidated the agreement. The decision was effective immediately.

In December 2015, the EU adopted the General Data Protection Regulation (GDPR) to patch the gap. While the GDPR isn't enforceable until 2018, most U.S. and international companies are using that framework as their guideline to satisfy the EU's requirements for personal data transfer.

Related: The New EU General Data Protection Regulation: Big Data Protection Gets Personal

Privacy shield.

In February, the EU and the U.S. announced Privacy Shield, a new agreement to replace Safe Harbor. Privacy Shield represents a more rigid framework that creates stronger obligations for U.S. companies, stronger monitoring and enforcement from U.S. authorities and an annual review process to ensure new measures are implemented. European and U.S. officials worked throughout the spring to iron out details of the agreement and begin implementing its provisions.

The Brexit complication.

Negotiations surrounding data transfer have gotten only more complex since June 2016, when the U.K. voted to leave the EU. Brexit has raised a number of questions that have yet to be answered. Among them:

  • Will the Privacy Shield agreement need to be renegotiated?
  • Will the EU need to negotiate a new agreement with the U.K. similar to the one in place with the U.S.? If so, when would that happen?
  • Is there a chance the U.K. might find itself flagged by the EU as a jurisdiction with inadequate privacy laws?
  • Will data transfers between the U.K. and the U.S. have to undergo scrutiny from the EU because personal data from citizens of EU member states might be included?
  • Will Privacy Shield be put on hold while the EU and the U.K. negotiate the withdrawal? If so, what framework will govern transatlantic data transfers in the meantime?

Related: Companies to Face Tighter EU Data Restrictions

The Brexit vote and the chaos that now surrounds Privacy Shield creates tremendous uncertainty for U.S.-based digital marketers who collect personal data from customers in the EU. In the short term, however, there is some good news. In the wake of the Safe Harbor invalidation, many U.S. companies -- including marketing agencies -- incorporated into their agreements "model contract clauses" and "binding corporate agreements." Both instruments have been approved by EU courts. They allow for the collection and transfer of data from Europe to non-EU jurisdictions, and this practice likely will continue until more answers come into focus.

What comes next?

U.S. marketing agencies still must heed EU privacy laws when dealing with the U.K. Why? Two reasons. First, chances are good that the U.K. independently will adopt many of the same EU policies and procedures. Second, personal data obtained from U.K. sources likely will include information about members within the remaining EU nations.

Marketers target specific demographics on behalf of clients and brands. As the internet has made the world more interconnected, it's impossible for domestic marketing agencies to simply ignore the data protection measures put in place by countries outside the U.S. Complying with the wishes of these countries makes sound business sense. It enables companies to access some of the world's largest markets and protects agencies from exposure to international violations and liability.

The impact on marketers.

The many obstacles and headaches associated with international data protection compliance may seem onerous to domestic agencies, but doing nothing could present greater problems. Even if U.S. agencies choose to deal solely with domestic companies for the exchange of personal data such as email lists and demographic data, there's no realistic way to sort out which information is outside the EU and which is inside. Companies still have to hash out the names and/or emails on such lists, making it impossible to know which is which and who is who. A single email address belonging to a citizen of the EU in a 5,000-name list obtained by a U.S. marketer is enough to expose all parties involved to a potential violation.

For now, not too much has changed in the wake of Brexit. Every aspect of data collection has the potential to be renegotiated. Privacy Shield has not yet gone into effect, so most companies are using the EU's GDPR framework to govern their transatlantic personal data transfers.

It's good for third-party marketing vendors to get in the habit of protecting information via hashing -- the process of obfuscating all or part of the digital data. It's an extra reassurance for third parties who might not have requested personal data from the EU but unwittingly received it, all the the same. Hashing is a solid way to protect data and also can make the retrieval process easier.

Related: Brexit Will Affect Your Business -- Here's Everything You Need to Know

The takeaway.

With so many uncertainties, U.S. marketing agencies can be sure of one thing: Brexit means it almost certainly will cost more to comply with new rules for collecting personal data. Legal fees, compliance initiatives and added layers of security all will be factors. No matter how the future unfolds for the U.K. and the EU, there will be new challenges -- and that means new expenditures.

The good news, of course, is that the U.K.'s departure from the EU could take several years to sort out. For domestic digital marketers, this means continuing to safeguard the personal data they obtain and familiarizing themselves with the GDPR.

Mike Canarelli

Web Talent’s CEO and Co-Founder

Mike Canarelli is CEO and co-founder of Web Talent Marketing in Lancaster, Penn. His Internet marketing agency specializes in content marketing and PR, search engine optimization, paid search management, social media and website design and development. 

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Starting a Business

She Started a Business With $300 After Getting Laid Off. It Made $300,000 in Year 1 and Became a Multimillion-Dollar Company.

Bobbie Racette wanted to revamp the virtual assistance space — and provide job opportunities for underrepresented communities at the same time.

Business News

Can Anyone Beat Microsoft at AI? The CEO of Salesforce Thinks His Company Can.

Salesforce CEO Marc Benioff calls Copilot "the new Microsoft Clippy."

Starting a Business

How to Find the Right Programmers: A Brief Guideline for Startup Founders

For startup founders under a plethora of challenges like timing, investors and changing market demand, it is extremely hard to hire programmers who can deliver.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Franchise

McDonald's Launched a Happy Meal for the 30th Anniversary of a Classic '90s Sitcom — But There's a Catch

The promotion is only available in one country, so fans elsewhere are turning to resale platforms like eBay to buy the collectible toys.

Business News

'Not Yet Fully Autonomous': Tesla's Optimus Robots Stole the Show — But Were They Actually Controlled By Humans?

Musk said the $20,000 to $30,000 robot could perform household tasks like mowing lawns and putting away groceries.