This is the second in a series of occasional blogs we’ll be writing about what Brexit means for IT and IT Law in the coming weeks and months. Deirdre Moynihan reviews what Brexit is likely to mean for Data Protection, where the approach to implementing the General Data Protection Regulation could well turn out to be a litmus test of what will happen more generally.
In his first Brexit and IT law blog, Richard comments that that one of the surprising things about the EU Referendum was that no one really explained what the UK was actually voting to leave. Similarly, aside from promises that, if we “take back control”, “we can make our own laws” no one really explained what that would actually mean for the UK. Will the government just draw a line through all EU law with effect from the date on which the UK formally leaves the EU (“Exit Day”)? Or will it pick and choose what laws it wants or, perhaps more accurately, needs to keep? As Richard mentions, our view is that, for the purposes of legal certainty, the UK should at least retain communications, data protection, e-commerce, intellectual property, and other IT-related laws that come from the EU. In this, our second blog on Brexit and IT, we look at the potential implications of Brexit for UK data protection law.
The pervasive collection and use of all types of data has been at the forefront of legislators’ and regulators’ agendas in recent years. Specifically with regard to personal data, the broad consensus at a European level for the last few years was that the EU’s original, 1995 law on data protection (Directive 95/46EC) (the “Directive”), was not fit for purpose and required substantial amendment to cater for the ever-increasing ways in which personal data is generated, collected and used. Following years of proposals, counter-proposals, analysis, negotiation and horse-trading, a new data protection regulation (Regulation (EU) 2016/679) (the “GDPR”) was adopted by the EU’s law-makers in April 2016.
Unlike previous European legislation on data protection, the GDPR is more prescriptive – both in terms of its requirements and its method of implementation – than the Directive. Compliance with the GDPR raises significant challenges for all companies that control and process personal data. However, the timing, nature and extent of the GDPR create unique challenges for the UK as a result of Brexit:
- The new law is a regulation rather than a directive. This means that, except for areas in which discretion is granted to member states, no additional steps need to be taken by UK legislators for it to become law in the UK. On 25 May 2018 the GDPR will come into full force and effect throughout the EU. The result of the UK referendum does not change that fact. That date is before the end of the 2-year negotiation period that will be triggered by notification to leave the EU under Article 50. Therefore, unless the UK and the EU reach an agreement as to the status of UK data protection law (i) prior to 25 May 2018, there will be a period of time between 25 May 2018 and the Exit Date when the GDPR will become law the UK and (ii) after Exit Day, the GDPR will (without more) cease to be effective in the UK.
- There is no blueprint for what happens when a country leaves the EU. Therefore, when we say that the UK and the EU need to reach an agreement as to the status of UK data protection law post Exit Day, we do not know whether that means that (i) the UK should adopt the GDPR in its entirety, (ii) the UK should adopt the GDPR in part only, (iii) the UK should retain the Data Protection Act 1988 and not implement the GDPR, or (iv) the UK should completely re-write UK data protection law (this option does not give the UK carte blanche – the UK will remain part of the Council of Europe and its 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) will continue to impose obligations on the UK with regard to data protection). Irrespective of the option ultimately chosen, we believe that the UK will need to seek an adequacy decision from the EU so that companies can transfer data to the UK with confidence that the UK is adequate from an EU data protection perspective.
The ICO (the UK data protection regulator) has stated that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens” and that for this reason, it would be speaking to the UK government to say that reform of UK data protection law remains necessary. Although the comments from the ICO show that it is alert to the possible implications of Brexit on data protection, it does not give much comfort to data controllers and processors as to what to expect post Exit Day. Companies cannot sit back and watch what happens. They need to start planning now to ensure compliance with GDPR by 25 May 2018:
Pre Exit Day
- as mentioned above, there will be a period of time pre-Exit Day when the GDPR will be effective in the UK and a failure of comply would place companies in breach of their legal obligations
Post Exit Day
- the GDPR is extra-territorial in effect – controllers and processors who are outside the EU (which will include the UK post Exit Day) are subject to its rules if the data they process relates to an individual in the EU when goods or services are being offered to that individual or where monitoring of their behaviour (online behavioural advertising) takes place in the EU
- multi-national companies will need to comply with the GDPR in other EU countries, therefore, compliance in the UK should form part of the EU-wide compliance programme
- from a contractual perspective, entities that allow third parties to process personal data will expect those entities to treat data from any EU country in the same way. Therefore, the requirements of the GDPR will still apply for UK processors
The UK has always regarded itself as at the forefront of technological development and as having a sophisticated legal system that is designed to encourage and facilitate business and attract companies to the UK. In our view, adherence to EU data protection principles identical or similar to GDPR post Exit Day is a vital to the continued success of digital UK business and the UK digital economy.