Brexit: The implications for UK Data Protection law
The UK referendum outcome to leave the European Union has opened a Pandora’s box of what the legal landscape may be in the UK after Brexit. However, such is not the case, to a great extent, for the data protection law regime which will be applicable in the UK in the post- Brexit era.
The current Data Protection and Cyber security regime
Last month the EU adopted a new data protection framework for its Member States in the form of the General Data Protection Regulation (GDPR). Replacing the Data Protection Directive from 1995, the GDPR, which provides a unified approach to data protection rules, will effectively only be directly applicable in all Member States as of the 25th May 2018 after a two-year transition period.
Following suit, the Directive on network and information security (NIS Directive), which aims to level the playing field for key internet companies and infrastructure operators by introducing harmonised rules to apply in all EU countries is expected to enter into force in August 2016. Member States will be given twenty one months until May 2018 to implement changes to national law.
Finally, the e-Privacy Directive is currently under review with the long-awaited public consultation launched on 11th April 2016. This Directive complements the existing data protection regime and sets out more-specific privacy rights on electronic communications service and network providers. However, it now needs to be amended to ensure inter alia consistency with the privacy rules under the GDPR.
However, some uncertainty exists around how data protection laws will apply after Brexit.
The UK already has its own legislation in the form of the Data Protection Act 1998 (DPA). This Act implements the 1995 EU Data Protection Directive. From a historical point of view, the EU Commission and the UK have had a fractious relationship on data protection issues as the UK never fully implemented the Directive in the eyes of the Commission. In fact, the Commission has been regularly threatening to bring infraction proceedings against the UK over the years. This situation has not improved, with the Snowden affair shedding light on mass surveillance practices within the UK.
What will happen in the post-Brexit era?
The landscape of data protection law post-exit will depend on the choices the UK will make but it is also important to stress that any changes will not happen instantly. For the EU exit process, a Member State must give the European Council at least two years’ notice of its intention to leave under Article 50 of the Treaty of the European Union and a withdrawal agreement will need to be negotiated with the Union, taking account of the framework for its future relationship with the Union.
Given this two-year notice period, it is likely that the exit process and the implementation of GDPR and the NIS Directive may run in parallel.
Currently, there are two scenarios that will arise from this:
- If the GDPR comes into force before the exit, the DPA can be repealed and the GDPR will have direct effect in the UK.
- If the GDPR is not yet in force at the time the UK exits the EU, this means that the data protection regime in place will depend on the UK government’s choices. Either the UK exit option requires the adoption of EU laws as part of the single market, as part of the EEA for instance, following the Norway Model or the UK exit does not require the adoption of EU laws therefore leaving the UK with no other option than to reintroduce its own Data Protection legislation. This may be the case if the UK were to choose to implement a Switzerland Model for instance which has a free trade agreement with the EU and a number of agreements which give it access to the single market for most of its industries but not for the banking sector and other parts of the services sector, which together make up almost 80% of the UK economy.
This latter scenario is of primary interest as the UK may be tempted to actually adopt a more business friendly GDPR. Indeed, the UK has expressed strong reservations against the most onerous provisions of the GDPR. Of particular concern have been, the level of the new fines, the obligation to employ data protection officers and the way the right to be forgotten and the one stop shop approach will need to be implemented.
However, it’s important to bear in mind that whether the UK chooses to leave or to remain part of the EU, the GDPR rules will be applicable to all UK businesses.
This is due to the fact that the GDPR has an extraterritorial effect applying not only to all organisations established in the EU that process personal data but also to any organization established outside the EU which offer goods or services in the EU or which monitor the behaviour of EU data subjects. The Founding Fathers of the European Union would be proud to see that the GDPR may be put to the Brexit test and still be applicable to a great majority of UK businesses operating in the EU. It clearly reflects the ever closer interplay between data protection law, competition law and consumer protection laws in the EU.
The GDPR varies substantially from the current regime. Data processors as well as data controllers will have direct obligations.
UK businesses may be subject to fines representing up to 4% of their annual global turnover or 20 million euros. They will need to implement requests made in the name of the right to be forgotten and having to appoint a data protection officer. Data owners will also have to move away from the current system whereby each data protection authority is responsible for its data controllers and migrate to a one stop shop system which grants main responsibility to a leading authority linked to the main establishment of the data controller or the data processor. Also, it remains to be seen whether the UK will favour the adoption of some legislation compliant with the NIS Directive even if not bound by it, solely in the interest of facilitating trade with EU partners.
European data transfers
One of the most sensitive data protection issues is what will happen to data transfers from EU countries to the UK.
There are two main options to consider in the event of a Brexit. Firstly, the UK exits the EU but chooses to remain part of the European Economic Area (EEA). This would mean that the EU/UK data flows will be subject to all applicable EU Data Protection rules, including the GDPR, as the EEA is effectively an area of “free movement of personal data.”
The second option is a little bit more like playing a wild card. If the UK exits the EU but does not choose to be part of the EEA, then it may seek confirmation from the European Commission that it provides “adequate protection.” Just like any other country, the UK may apply for an “Adequacy Decision” from the Commission and join a restricted list of countries offering adequate protection for data transfers to the UK (this list currently includes Canada, Israel, Argentina or Switzerland for example). Although this looks like a safe path, it may not be granted that easily given the history of the difficult relationship between the UK and the EU.
If there was no Adequacy Decision by the Commission, the alternative is for “appropriate safeguards” to be put in place. These would include options such as binding corporate rules and standard data protection clauses. But both of these options would impose similar sorts of constraints to those applying within the EU. So, although the UK might be able to tweak current EU data protection rules, there would be no space for a substantial deviation.
If post-Brexit, the UK were to decide not to be part of the European Economic Area, and should the UK not be granted an Adequacy Decision by the Commission, data transfers from the EU to the UK would be made significantly more difficult and burdensome.
Finally, the hugely controversial EU-US Privacy Shield plan, which succeeds to the Safe Harbour framework, may, once it is adopted, set the standard for data flows between the EU/UK and the US. However, in a post exit situation, UK faces a complex negotiation of its own Privacy Shield deal with the EU which may not consider it to be a priority in the big scheme of the renegotiation package.
ICO Post Referendum Statement
It does not come as a surprise that the Information Commissioner (the ICO) has fully validated the fact that although the forthcoming reforms to EU data protection laws may not apply directly to a post-Brexit UK which would be no longer a member of the EU, a great part of the data protection standards the UK will have to adopt ought to be “equivalent” to the EU’s GDPR if the UK hoped to continue to trade with the single market, as of 2018
The ICO reiterated its commitment to take on board that “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens”
It is fair to say that the legal basis for data protection rules may change after Brexit. However, businesses should be most aware of how these changes will impact their trading relationship and it would be prudent to review current data protection policies and structures so as to be prepared to abide by the GDPR rules if doing business in Europe after Brexit.