The United Kingdom’s vote to leave the European Union coincides with a seismic change in data protection law. Once Article 50 of the Lisbon Treaty is invoked, there will be a period of two years to complete negotiations and exit the EU. Depending on the withdrawal negotiations, this period may be either shortened or extended. If one thing is clear, it is that the negotiations for the terms of the UK’s exit are likely to overlap with the implementation across the EU of the General Data Protection Regulation (GDPR) in May 2018.
The regulator’s response Shortly after the result of the UK’s referendum became clear, the Information Commissioner’s Office released a press statement noting that the Data Protection Act 1998 (DPA) remains the law, that the GDPR would not directly apply to the UK if the country was no longer part of the EU, but that “having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking with government to present our view that reform of the UK law remains necessary”.
What will the UK-EU relationship look like? The UK has been actively involved in the development of EU data protection laws. Given that the GDPR may come into force in the UK and EU before the negotiation period to leave the EU is complete, the UK should not find it difficult to achieve the ‘adequate’ status necessary to maintain current trade and commercial relationships with the EU. Indeed, with little to no incentive to buck the EU and international landscape of data protection laws, it may be that the UK adopts much of the GDPR into its law, either as an update to the current DPA or as a new legislative measure.
The UK could be granted ‘adequacy’ status by the European Commission, as Canada, Switzerland and several other countries have achieved under the EU Data Protection Directive (95/46/EC). The European Commission, under Article 45 of the GDPR, may assess whether a country has an adequate level of data protection by taking into account:
- The rule of law, respect for human rights and fundamental freedoms, and other legislative enactments and case law
- The existence and effectiveness of an independent supervisory authority with adequate enforcement powers
- International commitments the country has entered into
Adequacy status would provide companies operating out of the UK with a competitive advantage over those operating from, for example, the United States.
How will personal data be regulated under UK law? If the UK exits the EU before the GDPR comes into force, it will not be without a data protection law. The DPA remains the law of the UK. Even now, the Information Commissioner’s Office interprets the DPA in a manner that is consistent with some of the GDPR requirements, such as privacy by design and accountability through the use of privacy impact assessments. Compliance with the DPA provides a degree of compliance with the GDPR.
An opportunity in disguise… While those who wished to see the UK remain within the EU will be understandably disappointed, the vote to leave could provide an unexpected opportunity for the UK to introduce flexible data protection laws and become a data haven. Once outside the EU there would be more opportunity to reach bilateral trade agreements with major, high growth countries which have been unable to agree deals with the EU; India and China are some obvious examples. Adequate protection status alongside a more business-friendly approach could enhance the UK’s position as the gateway to Europe. The UK remains open for business and is a jurisdiction that fosters innovation.
How will Brexit affect data transfers? Under the DPA, UK data controllers are permitted to make their own adequacy determination for transferring data outside the UK and EEA. In addition, the UK remains a member of the Council of Europe and a party to Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. That Convention, while more limited in scope than either the Data Protection Directive 96/46/EC or the GDPR, safeguards the processing of personal data and includes provisions relating transborder data flows. The principles for processing personal data align with both the DPA and the GDPR and including fair and lawful processing, purpose limitation, data minimisation, integrity and security. Individual’s rights of access, correction and erasure are also included, and the scope of sensitive data is the same as that contained in the Directive. The Convention provisions relating to transborder data flows permits the transfer of data between Convention 108 members which include not just the EU member states, but contain a much wider list of Convention members spanning 50 countries, including Turkey, Russia, and Ukraine among others.
The EU is likely to agree the Privacy Shield in early July. Brexit will not affect that agreement, and for the UK, Brexit should not change UK policy in relation to the Privacy Shield. Since, as mentioned, the DPA permits UK data controllers to assess adequacy, it may be that the Information Commissioner’s Office deems certification to the Privacy Shield by US companies adequate even if the UK is outside the EU. Such a stance would not be unprecedented, since other countries, such as Israel, had taken a similar position in relation to the US-EU Safe Harbor Framework before it had been ruled invalid by the CJEU. If that is the case, then transfers of data to the US on the basis of certification to the Privacy Shield could be deemed per se adequate by the UK.
What should my organisation be doing now? In short, stay focused on your business. The UK has traditionally taken a pragmatic view to the implementation and enforcement of data protection in the furtherance of facilitating trade. This approach is unlikely to change and could present opportunities when looked at in the light of the UK’s attitude to fostering innovation, even while organisations continue to put in place a strategy for compliance with the GDPR.
Client Alert 2016-161