Brexit will have fundamental implications for the UK data protection regime. Until Brexit takes place, there will be a period during which its precise form and implications for UK data protection laws are not clear. This interim period comes at a time when data controllers are already anticipating the significant changes that will be made by the General Data Protection Regulation (“GDPR”) from 25 May 2018.
The GDPR will significantly update EU data protection law, harmonize data protection rules across the Member States and grant individuals important new rights to control the use of their personal data. It will extend the scope of EU data protection rules to a wider range of non-EU entities and increase obligations on those processing personal data. The GDPR significantly increases penalties for noncompliance, to a maximum of €20 million or, if greater, 4 percent of global turnover.
Companies will need to prepare for the introduction of the GDPR at the same time as they are considering the potential implications of Brexit for data processing in the UK.
UK Data Protection Regime
Data protection in the UK is currently governed by the Data Protection Act 1998 which implements the EU General Data Protection Directive (“Directive”). From 25 May 2018, the GDPR will apply directly in the UK (unless Brexit has taken place by this date). After Brexit, the GDPR will no longer apply in the UK, although it will still apply as a matter of EU law to UK businesses in relation to their sales of goods and services into, or monitoring individuals in, the EU.
While Brexit will allow the UK to set its own data protection rules, in practice, this freedom will be constrained by the impact of the EU data transfer rules.
The Challenge of Data Transfers to the UK Post-Brexit
Both the Directive and the GDPR prohibit transfers of personal data from the EU to countries lacking “adequate” data protection rules. EU regulators and courts have increasingly adopted a strict interpretation of “adequacy”, effectively requiring substantial equivalence with the EU data protection regime.
The UK will face a choice. It could decide to apply data protection rules that are recognized as “adequate” by the EU Commission, in which case personal data can be transferred freely from the EU to the UK, reducing costs for business. However, this is likely to involve applying rules similar to the GDPR (potentially with some variations, such as lower penalties). Alternatively, the UK could adopt laws that the EU did not consider met this standard, in which case businesses in the UK would be subject to the same restrictions that currently apply to data transfers from the EU to the United States or Asia. In this scenario, transfers of data from EU Member States to the UK would require use of the EU Standard Contractual Clauses, Binding Corporate Rules or a bilateral agreement similar to the EU–U.S. Privacy Shield. These arrangements are likely to lead to cost and complexity for businesses and, in the case of a bilateral agreement, would need approval of the EU and the UK government.
Clearly, the overall form Brexit will take is not yet decided and will be subject to significant discussion. However, it is likely that each of the basic outlines for Brexit currently being canvassed will have a similar implications for the UK’s data protection rules.
- If the UK trades with the EU as a member of the European Economic Area, it is likely that the EU would require the UK to adopt measures similar to the GDPR as part of its commitment for access to the single market.
- If the UK relies on bilateral trading agreements with the EU covering different sectors, it will face a choice between adopting “adequate” data protection rules to allow UK businesses to receive unrestricted data flows from the EU or accepting that UK businesses will have the cost and administrative burden of putting in place alternative arrangements to allow these transfers. For example, Switzerland has adopted a data protection law that closely resembles the Directive, and it is likely to amend this to reflect the GDPR.
- If the UK trades under the WTO rules, it will face the same choice as to whether to apply “adequate” data protection rules. Canada has been approved by the EU as having adequate data protection laws after essentially mirroring the EU rules.
Whichever approach is taken, the EU transfer rules give a strong incentive for the UK to adopt measures that are broadly equivalent to the GDPR.
Regulatory Uncertainty about EU–U.S. Data Transfers
There are ongoing uncertainties about transfers of personal data from the EU to the United States. The EU–U.S. Privacy Shield (which replaced the U.S.–EU Safe Harbor framework ruled invalid by the European Court of Justice in the 2015 Schemes ruling) has only recently been approved and may be subject to further legal challenge. There are also ongoing proceedings before the Irish High Court challenging the validity of transfers using the EU Standard Contractual Clauses. Brexit will add further uncertainty and potentially require parallel negotiations between the EU and UK authorities to agree on bilateral arrangements to permit data transfers to the UK. This uncertainty will be a particular concern for cloud services providers, which often depend on unrestricted worldwide data flows.
While Brexit gives the UK a theoretical ability to set its own data protection rules, there will be incentives to maintain rules that are substantially similar to those of the EU. Regardless of the form of the UK’s post-Brexit relationship with the EU, EU data protection rules will continue to have a significant influence on UK companies. For some UK businesses, the GDPR will apply directly as a matter of EU law.
Businesses should be considering the impact of the GDPR irrespective of Brexit. Brexit adds uncertainty to this evaluation and will be a factor in certain investment decisions, such as where to locate data centers to service EU customers.