The current state of play
- The data protection framework in the EU is based on the Data Protection Directive. Although member state regulation is based on this directive, domestic laws and, in particular, respective enforcement practice differ to some extent from one state to another.
- A higher degree of harmonisation in EU data protection standards will be achieved by the proposed General Data Protection Regulation (GDPR) which is set to be adopted by the end of 2015 and enter into force by the end of 2017. The GDPR will be directly applicable in all member states, and will introduce fines at a level similar to antitrust regulations in the EU. It will have a broad scope of application and will most likely also cover data processing outside the EU if such processing is related to the offering of goods/services to data subjects in the EU.
Collection, processing and transfer of personal data
EU data protection regulation is based on the principle that any collection, transfer or processing of personal data requires a legal justification (e.g. the data subject’s consent, overriding legitimate interests of the data controller or regulatory requirements).
Transfer of data outside the EU
The transfer of personal data outside the EU is subject to additional requirements. In most cases, this is only allowed if the country where the recipient of the data is located is regarded as a 'safe third country' by the Commission.
Commissioned data processing
Under certain circumstances, transfers of personal data to so-called data processors (e.g. server hosts or certain providers of software or cloud computing) do not require a legal justification. However, this exemption only applies for commissioned data processing within the EU. If a data processor is located outside the EU, transfers to it of personal data still require a legal justification, even if the parties sign up to a data processing agreement and agree to ensure compliance with EU data protection regulation.
What should I be thinking about now?
Data processing outside the EU
An important question is whether, after a Brexit, the UK would be classified as a 'safe third country' by the Commission, so as to permit EU personal data to be transmitted to the UK. If it were not, UK companies doing business in the EU would need to re-think their data protection compliance strategy.
Commissioned data processing
Cross-border data flows to data processors in the UK which do not currently require a legal justification might require a particular justification in case of a Brexit. Without such justification, changes to data flows may become necessary which would be especially burdensome if the data processor plays a role as a data processing hub within a group structure with headquarters or subsidiaries in the EU.
Applicability of EU data protection regulation
What would the UK data protection regime look like following a Brexit? To what extent would the UK want to retain the regime based on the Data Protection Directive or the GDPR changes? Would a negotiated post-Brexit UK/EU relationship involve the UK keeping in step with the EU in this area?
The answers to many of these questions will depend on the nature of a post-Brexit UK/EU relationship.