Amid the tub-thumping about the economy, sovereignty and border control, neither side's EU Referendum campaign – perhaps unsurprisingly – made any hay whatsoever out of the Cinderella issue of data protection. Nevertheless for UK businesses (as well as practitioners) the prospect of what would happen to the General Data Protection Regulation (GDPR) in the event of Brexit has proved an interesting sideshow. Now we face the reality of the UK leaving the EU, subject to the present political uncertainty, the focus on the issue has become sharper. It is also a microcosm of some of the legislative and regulatory issues that face government in the coming 24 months, if not longer.
Conventional wisdom has been, and persists, that the direction of travel for data protection law in this country is towards the GDPR standard. It was always true that – remain or leave – organisations wanting to do business in Europe would need to be compliant with the pan-EU standard (to meet 'adequacy' requirements), and that the domestic legal standard would likely be brought in line. The UK would after all not wish to be on the wrong end of a Schrems-style judgment by the CJEU.
With the leave result confirmed, putting aside for now the prospect of an extended stalemate, a more technical analysis comes into play. The GDPR "start date" of 25 May 2018 is already marginally ahead of the two-year transition allowed for once Article 50 of the Lisbon Treaty is invoked, even assuming notice was given tomorrow. However, it would seem absurd for any government to allow a month-long period where the legislation was directly effective on UK business and then dropped for good. Parliament will be making its own transitional arrangements which may or may not mean incorporating the existing GDPR into domestic law or, at least, the application of the same heightened legal standard in important concepts such as consent, data subject rights and so on. In the meantime the Data Protection Act 1998 – despite its origin in a European directive – remains effective, a point the ICO was keen to make in its statement on Friday.
An unpanicked phasing-in of GDPR standards remains the advisable approach, although organisations will be forgiven for holding back business-critical decisions until there is greater clarity. In other areas, such as the charity and fundraising sectors, there is already regulatory pressure to adopt a higher standard of consent. What is uncertain is whether all the minutiae of the GDPR's provisions – data breach reporting to the national Data Protection Authority within 72 hours, for example, or the adoption of mandatory Data Protection Officers in certain organisations – will be considered sufficiently central to protecting "the fundamental rights and freedoms" of EU citizens that Member states will not be able to do business with the UK (or what is left of it) without them.
There are also curious pockets of potentially significant impact arising from Brexit which are not directly tied to the GDPR question. The Court of Appeal's judgment in Vidal-Hall v Google, for example, hinged on the compatibility of section 13 of the Data Protection Act (which in a literal reading did not allow data subjects to claim damages for distress without financial loss) with the right to effective remedy for privacy and data rights protected under the European Union Charter of Fundamental Rights. The CA's ruling, that s.13(2) should be disapplied and financial claims brought for distress alone, is currently under appeal to the Supreme Court, and could certainly be overturned if judgment was made in a jurisdiction where the Charter no longer had direct effect.
This may be of relief to media organisations and others, as would the potential lifting or softening of the Environmental Information Regulations 2004 – fiendishly difficult to navigate and comply with (and appropriately unpopular among some of the public bodies affected).
Overall , it would be wrong to assume that the Brexit vote marks a turning of the tide in information law and data protection in particular. Nevertheless that door of possibility is now ajar if a future administration decides that doing away with "red tape" and "box ticking" is more important for our economy than trading with Europe.