How might the “Brexit” vote by the UK to leave the European Union affect privacy law?
Nothing will change immediately and for now, the UK still operates under the current Data Protection Act. As with many things European privacy-related right now, there is no clear answer to the question of what happens in the longer term - the path and timeline to ‘Brexit’ is still uncertain. Article 50 gives a time period of two years for an exit to be negotiated, but it is unclear when Article 50 will be triggered. The earliest exit point is likely to be Q4 of 2018. In the interim the UK will continue to operate under its current legislation.
What happens post ‘Brexit’ depends on the nature of the UK’s relationship with the EU:
- If the UK leaves the EU, but joins the European Free Trade Association and remains part of the European Economic Area (EEA), the UK would still be required to comply with the Data Protection Directive, and the upcoming General Data Protection Regulation would take effect on UK based companies as planned (currently May 2018).
- If the UK leaves the EU without any form of free trade agreement, the UK would be free to revise its data protection framework, deviate from EU standards and the upcoming GDPR would have no direct effect. The key issue for businesses in the UK would be whether or not the European Commission would designate the UK as ‘adequate – i.e with privacy standards that are equivlanet to the GDPR. If it didn’t, data transfers from the EEA to the UK would be subject to stricter requirements, much like data transfers to the USA.
- For US service provider companies, the UK not remaining part of the EEA would mean that data transfers would, in theory, be subject to less restriction. However, the UK would need to balance the benefits of easier transfers to the US against the need to maintain robust privacy laws to ease the flow of data from the EEA to the UK.