As the June 23 referendum on Britain’s membership in the European Union looms, the potential that Britain will exit the European Union (“Brexit”) raises data privacy issues.
Being part of the European Union has meant that UK businesses are subject to numerous data protection laws. The UK has enacted most of its domestic data protection laws, such as the Data Protection Act 1998 (DPA), to implement European Directives. If a “Brexit” occurred, existing domestic legislation would remain unless and until changed by the UK government. This means that businesses in the United Kingdom would continue to be subject to the DPA. The Information Commissioner’s Office would also remain as the UK data protection authority with regulatory powers to conduct investigations into breaches of the DPA and issue penalties for noncompliance.
Any UK business that offers goods or services to European consumers or which has a website that is accessible in Europe will, in addition to the DPA, also need to comply with European data protection laws such as the new General Data Protection Regulation (GDPR).
Most UK businesses are almost certainly going to need to transfer personal data to Europe and to other countries outside Europe such as the United States. Currently, whilst the United Kingdom remains part of the European Union, there are restrictions against transferring personal data (without consent from the individual) outside of Europe, other than to certain “adequate” countries such as Canada or Switzerland or if the business has a legally permissible mechanism such as model clauses or binding corporate rules in place. If the United Kingdom leaves the European Union, the UK government will need to decide if it will retain the same restrictions for cross-border transfers or adopt an alternative solution. If the proposed EU-US Privacy Shield is enacted, the UK government will need to decide if it will adopt a similar model for data transfers from the United Kingdom to the United States if the current restriction on such data transfers is retained. Additionally, the United Kingdom is likely to apply to the European Commission for a decision of “adequacy” that would allow European countries to transfer personal data to the United Kingdom. This will, of course, depend on whether the UK government has passed laws that differ to the current DPA and whether the European Commission views the standard of “adequacy” as having been raised after the GDPR becomes effective.
Data security is becoming increasingly important for businesses. Similarly, privacy is becoming increasingly important for individuals globally. It therefore seems unlikely that any government would wish to repeal the DPA and pass weaker data protection laws in the United Kingdom, thereby undermining consumer confidence in UK businesses and potentially exposing them to increased data security breaches.