In a previous article we discussed the new EU General Data Protection Regulation (the "GDPR"), which is set to bring significant changes to the data protection law of EU member states from 25 May 2018. The GDPR will be directly applicable to all member states within the EU, meaning that no domestic legislation is needed to implement the laws. The GDPR will be more stringent than the UK's current data protection laws. Its aim is to update data protection law to reflect modern needs and harmonise the laws and enforcement practice across the EU.
With the UK voting to leave the EU, what will happen to data protection law within the UK?
This depends to some extent on the nature of the relationship between the UK and the EU following Brexit. However, there are a number of factors which indicate that the UK may increase protection of personal data in a similar way to the EU.
Currently, it is not clear how the trade negotiations with the EU will develop. However, if the UK elects to remain part of the European Economic Area ("EEA")1 , often referred to as the Norwegian model, the freedoms of movement of goods, services, persons and capital are incorporated in any event and the GDPR would be directly applicable to the UK in the same way it is applicable to a country in the EU. Whilst this option appears expedient as the UK would retain access to the single market, it may conceivably be unpalatable to the next Prime Minister as the free movement of workers would remain and the UK would likely to remain a net contributor to the EU without having any voting rights in relation to the proportion of EU rules that would apply to the UK.
As this article focuses on data protection law, other forms of trade agreements are not considered. Paul Paling sets out these trade options in Brexit: the Legal Position. What is important for the purpose of this article is that remaining in the EEA or implementing the GDPR or substantially equivalent legislation may be necessary to protect the UK's global trading position.
The UK's data protection laws are heavily based upon EU laws. The EU Data Protection Directive 95/46/EC was implemented into the UK by the Data Protection Act 1998 (the "DPA").
Even if the GDPR does not apply to the UK post Brexit (e.g. the UK also leaves the EEA and does not implement legislation equivalent to the GDPR), the significant technological advancements since the DPA (including the internet and cloud computing), means there will clearly be a need to update data protection law as a point of public policy, regardless of the position between the UK and the EU. The response on the referendum result from the Information Commissioner's Office, the regulatory body in the UK for data protection issues, made clear that "reform of the UK law remains necessary".
In addition, the Information Commissioner's Office was heavily involved in the GDPR. If the GDPR was not implemented in the UK, the Information Commissioner's Office may push for features of the GDPR, such as the degree of control data subjects have over their personal data, to be included in any UK specific legislation. The importance of stronger data protection laws to the ICO was further illustrated by their referendum result response stating "Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary".
Eighth Data Protection Principle
Principle 8 of the DPA provides that:
"personal data can only be transferred outside the EEA if the country it is transferred to provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data" (the "8th DPP").
If the UK leaves the EEA, there are a number of ways of achieving the 8th DPP. The most business friendly way would appear to be the UK being designated a "safe third country" providing adequate protection by the EU Commission to avoid businesses breaching the 8th DPP when transferring personal data from European countries to the UK.
To do so, the UK's domestic laws would need to provide an "adequate level" of protection – presumably, from 25 May 2018, to a similar level as that provided by the GDPR. Such designation would primarily be through being added to the "White List". The White List recognises countries which ensure an adequate level of protection of personal data by reason of its domestic law or the international commitments it has entered into. It is based on the EU Commission giving an Adequacy Finding Decision and the procedure for this is layered with no guarantee of such adequacy being recognised. Countries such as New Zealand and Switzerland rely on such adequacy decisions to process personal data in accordance with the 8th DPP without further safeguards being necessary.
Whether via such White List or the UK remaining part of the EEA, the Information Commissioner's Office's post referendum statement is clear that "data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018".
If the UK fails to meet this adequate level, it would be more difficult for EU businesses to transfer personal data to the UK. Instead, businesses would be required to consider other mechanisms such as:
- entering into an agreement known as "Model Contract Clauses" or Binding Corporate Rules. These are far more time consuming and cumbersome on a business.
- consent from data subjects that they are happy for their data to be processed in the UK, but seeking consent may be administratively burdensome and difficult to achieve in practice.
The USA – A Valid Example
The USA is an example of a country outside the EEA with markedly different data protection laws to the EU. Its mechanism for trying to comply with the 8th DPP (known as "safe harbor") was recently deemed to be invalid in the famous case Maximillian Schrems v Data Protection Commissioner C-362/14. This has caused much confusion, chaos and ongoing uncertainty post-Schrems regarding data transfers to the US and the US attempts to satisfy the adequacy requirements of the 8th DPP via other mechanisms. This illustrates the possible dangers of having significantly different data protection legislation than the GDPR post Brexit.
It therefore seems that whether the UK remains in the EEA or not, the level of protection offered by the UK post Brexit will need to closely resemble that of the EU in order to continue trade with the EU in accordance with applicable laws and avoid other businesses breaching the 8th DPP. It is unlikely to be practicable or in UK's interests to implement an entirely different data protection regime to its EU neighbours. As such, data controllers, (particularly those that offer goods or services to EU, citizens or monitor the behaviour of anyone in the EU) would be prudent to continue with preparations to comply with the GDPR.