As the dust begins to settle on this morning’s vote to exit the European Union, many of us currently grappling with the intricacies of the new European Data Protection Regulation (finalised only last month although it seems like years ago) may be forgiven for giving an enormous sigh of relief and putting our already well-worn copies on a shelf to gather dust - but is it that simple?
1. This morning’s vote does not mean that the UK has exited the EU. The UK remains a member state and will do so until the exit process has been completed and that is unlikely to happen before 2018. The GDPR comes into force on 25 May 2018 and unless the UK has ceased to be an EU member state before that date then the GDPR will take effect in the UK, unless (presumably) both sides agree otherwise.
2. Even if the UK has ceased to be an EU member state before the date that GDPR comes into force, its terms will still be relevant to the UK. Firstly, the GDPR contains provisions that require non EU organisations processing personal data of EU citizens for the purposes of offering goods and services (or monitoring activities) to comply with its terms in relation to that processing.
So, for example, UK companies targeting online sales to EU citizens will be caught. Secondly, transfers of personal data from the EU to the UK will need to comply with the GDPR as well. So, if the UK wishes for personal data to be easily transferrable from the EU to these shores, it will need to adopt GDPR or some other data protection law that the EU recognises as giving adequate protection to personal data.
Meanwhile, as the ICO has said in a press release issued this afternoon, the Data Protection Act 1998 continues to apply. Moreover, in the ICO’s view:
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”