GIMA Brexit Report
The implications of Brexit on data protection
The EU General Data Protection Regulation (GDPR) is expected to come into force in EU Member States on 25 May 2018. As, which seems likely, the UK will then still be a member of the EU the GDPR will have direct effect on businesses established in the UK from May 2018 until Brexit.
The implications of Brexit on data protection are complex and create a great deal of uncertainty for individuals, business and the UK economy. Data protection is, for example, a key area impacting on the UK’s participation in the Digital Single Market.
The GDPR
The provisions of the GDPR were furiously negotiated over four years. The intention had been to create a level playing field for data protection across the EU, replacing the fragmentation of data protection as a result of the different standards and requirements of the national laws implemented the 1995 Data Protection Directive. However, far from achieving absolute harmony across the EU, the final text of the GDPR made many provisions subject to the requirements or determination of individual Member State laws.
The position after Brexit
The effect of a Brexit could be that:
the GDPR will no longer have direct effect on UK businesses which are only established in the UK
any UK business which has an establishment in another EU Member State, and the term “establishment” has been broadly defined, may need to comply with the GDPR as a consequence of its linkage to the EU based business
as a consequence of the extra-territorial effect of the GDPR, the GDPR will expressly apply to any UK business which offers goods or services to individuals in the EU or monitors individuals in the EU.
What is the UK Government’s position?
On 4 July 2016, Baroness Neville-Rolfe DBE CMG, Minister for Data Protection recognised that it was possible that the GDPR may not apply. In a speech she stated that the Government does
“not know how closely the UK will be involved with the EU system in future. On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.
In relation to cross-border data transfers, the Minister expressed her view that
“One thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward.”
She went on to reiterate that
“in the meantime, the Data Protection Act continues to be the UK’s data protection legal framework and it is important that organisations continue to comply with it.”
What is the view of the Information Commissioner’s Office?
On 28 June 2016, the outgoing Information Commissioner set out how his Office (the ICO) would be approaching the issues.
“Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
What could the UK do following Brexit?
The UK has significant interest in ensuring that personal data can freely flow between EU and UK businesses post-Brexit.
Any data transfers from the EU to the UK (as a non-EU State) will only be permissible, without further legal justification, if the UK can demonstrate to the satisfaction of the European Commission and the Supervisory Authorities that it offers adequate protection for personal data. In effect, for data to flow from the EU to the UK, the UK will need to have a level of data protection equivalent to EU Member States
There are a myriad of options available to the UK. Some of the options, and their consequences, are considered below.
The UK fully implements the terms of the GDPR into national law
This option would bring certainty to the question of the adequacy of the UK’s protection of personal data. Personal data could flow freely between the Member States and the UK. As the UK was at the negotiating table and agreed to the final text of the GDPR, the GDPR may well be acceptable to the UK Government.
All businesses, whether they operate only in the UK or across Member States, would have a single set of rules bringing legal and commercial certainty.
The UK retains the Data Protection Act 1998 (DPA)
The DPA implemented the 1995 Data Protection Directive into UK law. The UK Government could leave the DPA in force. The protections offered by the DPA are not equivalent to those in the GDPR. In addition, the European Commission has considered that the DPA did not properly implement the 1995 Directive. The UK would not have a regime which is essentially equivalent to the GDPR. Consequently, the UK would not have “adequate” protection for personal data.
This may be attractive to UK businesses which do not have EU operations or do business with EU citizens, as there would be no change.
This option would have a significant impact on UK businesses with EU operations and those who offer products or services, or monitor, EU individuals. Those businesses would either have to apply the GDPR in full across all their operations or comply with two parallel systems, the DPA and the GDPR.
The UK repeals the DPA
Although it is unlikely, the UK could decide to repeal the DPA in its entirety. This might be attractive to some politicians and industry bodies who have criticised its complexity and the regulatory burden. However repeal, without replacement, would be a retrograde step, removing rights from individuals and dismantling a framework of good data handling standards.
The UK would be considered as having inadequate protection for data. As in option 2, organisations doing business in the EU would still be required to comply with the GDPR. The UK might have to enter into agreements, akin to the US Privacy Shield, to allow data to transfer to the UK. Alternatively, EU businesses would need to legitimise transfers of data to the UK using mechanisms such as consents, model clauses or binding corporate rules.
What to do now?
Until we have more clarity on the exit process, we would suggest that clients
- keep up to date on statements from the ICO and its sponsoring department, the Department of Culture, Media and Sport
- undertake at least a high level audit of their compliance with the UK’s DPA and the significant changes in the GDPR
- find out more about our data protection training
- review where the business and any group companies are established; and
- check whether the activities (both on and off-line) of any UK arm of their business include offering goods and services to, or monitoring the activities of, EU individuals.
Article written by Mark Gleeson, Partner (Barrister) at Browne Jacobson LLP