Even before the EU Referendum results were known, the Information Commissioner's Office (ICO) was clear that "the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU."
The latest statement from the ICO says that:
"The Data Protection Act remains the law of the land irrespective of the referendum result… If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
The latter point, in particular, is one of enormous significance, especially with the ongoing uncertainty around data exports following the invalidation of EU-US Safe Harbor framework in 2015. So, how could the various permutations play out?
As the ICO has said, current data protection law continues to apply. The issue comes when the EU applies its new data protection law, the GDPR, on 25 May 2018. At that point we may still be in the EU as it is unclear when the exit procedure will be triggered under Article 50 of the Lisbon Treaty and negotiations may still be ongoing. It is also uncertain that we will know what form our exit and ongoing relationship with the EU will take at that point. So do we proceed as if the GDPR will be implemented or not? In our view, we should.
A case for light touch data privacy laws?
It is possible that Brexit may allow the UK to consider this as a fresh opportunity to review law-making in this area, with a possible move to a lighter touch regime than the one under the GDPR. This would inevitably mean shunning the complete adoption of the GDPR. What would follow and how much 'lighter' such a new privacy regime could be, well no amount of gazing into the crystal ball can answer that now.
Reality hits home?
The UK as a 'data protection haven' (in the sense of a 'tax haven') may be appealing to some but the reality is likely to be more prosaic. In all reality it is difficult to see how the UK could not implement privacy laws that are substantially similar and, arguably, at least equivalent to the GDPR.
Geographically, the UK may be separated from the European mainland, but in terms of its global positioning and the vast number of multinational businesses based in the UK, the international picture cannot be ignored when it comes to understanding what type of data privacy laws we will need to have in place. For example, exporting (often also referred to as 'transferring') personal data from Europe to countries outside of the EEA is subject to restrictions. The EU views local data privacy laws as important to establish that an adequate regime of data privacy law exists in the recipient country and also that robust solutions exist to legitimise such exports, for example, by using Binding Corporate Rules and Model Clauses. There has been significant disruption around the need to establish valid solutions for US data flows because of concerns in this regard.
Against the uncertainty of not knowing whether we will join the EEA and what the future relationship with Europe will look like, it is almost inevitable that the European Commission will be pushed to consider whether the UK provides for a data protection regime which is 'adequate' i.e. provides an equivalent level of data protection to the EU. A Commission-issued adequacy decision (of the type already issued for a select number of countries) would allow for the free movement of personal data to the UK from Europe without the need for taking further steps to put tools of legitimisation in place. The Commission would, of course, need to consider the robustness of the data protection law regime in the UK before making such a decision and this, in itself, would create a level of uncertainty.
Putting aside the difficult task of predicting what the exact shape of the UK data protection law could be, if judged by previous actions of the Commission, it is as clear as day is that a lighter touch data protection regime in the UK would not impress the Commission enough for it to grant the UK an adequacy finding.
Add to the equation that the UK and the Commission have a history of not seeing eye to eye regarding the UK's ability to implement data protection laws to the standards required by Europe and it becomes an even more uphill task for the UK to feel confident that a deal over adequacy could be struck in the short term.
There are parallels to be drawn here with the furore around the striking down of the adequacy decision which underpinned Safe Harbor. Recently, we saw the Article 29 Working Party (WP) provide a cautious response to the proposed replacement for Safe Harbor, the EU-US Privacy Shield, and this lack of endorsement has meant that the uncertainty around data exports between Europe and the US continues. The UK could fall into a similar situation of uncertainty should any 'arrangement' be sought to pave the way for an adequacy finding for the UK after Brexit. Of course, Model Clauses and Binding Corporate Rules remain viable options subject to further twists and turns of the data exports roller-coaster, but the range of options would most likely be considerably restricted under any data protection regime which did not mirror that of the GDPR.
The invalidation of Safe Harbor following the Schrems decision handed down by the Court of Justice of the European Union (CJEU) is likely to inform the approach of the Commission if it has to make an adequacy assessment of the UK's post-Brexit data protection regime. One of the key concerns of the CJEU in Schrems was the difficulty of being able to assess the proportionality and necessity of the access to EU personal data by US public authorities for national security and related purposes. The WP, when presenting its findings on the Privacy Shield, has laboured the fact the consideration for adequate data protection in line with the requirements of EU law in this regard is not just a matter for the US, but also applies to other countries and that is not the first time that there have been rumblings that the UK is already pushing at the limits of what is permissible under EU data protection law in this area.
Following the statement from the ICO, the UK will need to continue to 'box clever' and strike a balance between privacy laws that are robust yet also smart for its global positioning and encouraging growth in areas such as technology, big data, life sciences and medical research. The UK will have to tackle these uncertainties to ensure that data privacy obstacles do not become a barrier to trade and commerce, especially given the UK's major role as a hub, base and launch-pad for international business.
As to how the UK will strike that balance, less reliance on that crystal ball and more leadership in terms of the UK's positioning on the world privacy stage will be required. Anything less would be short-changing the UK and the businesses that wish to internationalise from and through the UK.