The recent decision to leave the EU has left many wondering about the future of data protection law in the UK, not least because of the impending introduction of the General Data Protection Regulation (GDPR), coming into force on 25 May 2018.
The GDPR requires all EU countries (including, until its exit, the UK) to implement a stricter data protection regime, including:
- Stricter requirements for obtaining consent to use personal data;
- Raising the age of consent from 13 to 16 years old;
- Greater fines for non-compliance with data laws of up to £20m or 4% of a company's global revenue;
- Requiring data controllers to notify national regulators about data breaches within 72 hours; and
- Requiring data controllers to delete personal data if it is no longer being used for the purpose it was collected, or if an individual withdraws their consent.
The GDPR's requirements are robust and complex, so companies have been well-advised to begin preparing for its enforcement comfortably in advance of the 2018 deadline. However, once the UK exits the EU, British companies will no longer be bound by these regulations, putting data controllers in a difficult position in the current climate of uncertainty. This is compounded by the fact that the UK is unlikely to have made its exit by the time the GDPR comes into force in 2018, but will probably be set to leave within a few years. The UK could then choose to divert from the GDPR's requirements. If this were to happen, data controllers may feel that the time and money they spent implementing the GDPR has gone to waste.
At the moment it is hard for data controllers to know if they should continue to work towards implementation, or wait and see how Brexit affects plans for the GDPR's enforcement. Thankfully, the national data regulator, the Information Commissioner's Office (ICO), has given already given us a helpful indication of its position.
The ICO's position
The ICO released a statement on the day the referendum results were announced. The message is clear:
"The Data Protection Act remains the law of the land irrespective of the referendum result... If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
The ICO's statement indicates that the standards required by the GDPR will be implemented in the UK, regardless of whether or not the GDPR itself becomes part of our legislation. The ICO has clearly taken a pragmatic approach; while the UK will no longer be required to implement these regulations as an EU member, UK companies will undoubtedly want continue to trade with EU member states on the best terms possible. In order to do so, UK companies will need to meet the standards of data regulation required by the EU. If the UK wishes to remain within the EEA (as many hope it will), it will need to implement the EU's data protection requirements, as Norway has done.
Not another Schrems
The GDPR will continue to restrict transfers of personal data to "third countries" (i.e. countries outside of the EEA). This means that if the UK becomes a third country and chooses not to follow EU data protection law, it will still have to implement equivalent standards of protection. This will allow UK companies to continue to exchange personal data with EU member states. If the UK does not provide equivalent protection, it will need to negotiate an agreement with the EU in order for companies to continue to exchange data with EU members.
The UK is likely to want to avoid the need for a separate data transfer agreement, particularly in light of the Court of Justice of the European Union's (CJEU's) decision in Schrems v Data Protection Commissioner (Ireland). The US and EU previously exchanged data through the US's Safe Harbor scheme, which created a framework of self-regulation within which US companies could trade with EU members. However, in 2015 the CJEU issued its judgment in Schrems that US Safe Harbor provided inadequate protection for personal data transferred from the EU to Safe Harbor member companies in the USA. The US and EU are currently in discussion on a new data transfer agreement which many say will take years to finalise. In the meantime, US companies are on notice that they are no longer protected by Safe Harbor and are liable for penalties if they do not meet EU data protection standards.
Where do we go from here?
The ICO's statement on Brexit indicates it will push to avoid a similar situation arising with the UK, which would most likely harm business and require a long negotiation process. Regardless of EU requirements, the UK has always been an advocate for data protection and high security standards. The UK is therefore likely to continue to offer the best form of protection to individuals, making compliance with the GDPR an obvious decision. It may be that the ICO decides to implement the GDPR's changes as an amendment to the Data Protection Act 1998, rather than enforcing a new piece of legislation, but there is no sensible reason why the UK would not want to have in place the same or substantially the same obligations for the protection of data subjects. Either way, compliance with the GDPR looks likely.
An alternative is that the GDPR will come into force of 25 May 2018, as negotiations over the UK's exit will not have been finalised. The UK parliament will then pass as Omnibus Act maintaining all laws derived from the EU's jurisdiction, and then over time repeal and/or replace EU legislation.
Whether the UK will continue to use the EU as a benchmark, however, is yet to be seen. The ICO may decide that the UK will take a different view on best practice in future. For now, however, companies would do well to keep working towards the GDPR deadline. Whether or not we will be bound by it, we are likely to be bound by its standards. The ICO's increasing willingness to robustly enforce the present law on data security – it has issued fines totalling £2m in the past 12 months – provides a further compelling reason to ensure organisations follow best practice.