With the year drawing to a close, we have written and published a variety of tech law-related insights throughout 2016. Following the trend of recent years, 2016 has not disappointed in highlighting many important and complex issues in the areas of privacy and data protection. For the MHC Tech Blog, our most popular post related, somewhat unsurprisingly, to Brexit and the effect that it may have on data protection. We have republished this post once more, as it still remains relevant as 2017 approaches.
The result in the recent Brexit referendum creates questions on how the UK’s decision to leave the EU will impact stakeholders across the key sectors of the UK economy.
We take a look at what Brexit means for technology, data protection and privacy.
Existing UK rules
One of the main aspects of the EU and the Single Market is the harmonisation of national laws. Currently, the regulation and protection of personal data in the UK is primarily governed by the Data Protection Act 1998. These rules, like their Irish equivalent, derive from EU law. In the wake of the Brexit vote, the Information Commissioner’s Office (“ICO”) – the UK’s regulator and the counterpart of the Irish Data Protection Commissioner – issued a statement regarding the on-going status of the 1998 Act. In its statement, the ICO made clear that the 1998 Act will remain law post-Brexit.
Despite the fact that the EU-derived 1998 Act will continue to apply, UK and EU paths in respect of data protection may possibly be on course to diverge. On 25 May 2018, the General Data Protection Regulation (“GDPR”) will come into force. Unlike its predecessor – the Data Protection Directive – the GDPR will apply directly to all EU member states. In other words, for the most part, Member States will not require national measures to transpose the GDPR. The GDPR also represents a significant toughening of EU data protection rules. With the UK out of the EU picture, the GDPR will not apply to it. This in turn raises questions as to what form the UK’s future data protection rules will take.
What are the UK’s options?
It is possible that certain quarters of the UK may seek to use Brexit as an opportunity to repeal or significantly amend the 1998 Act. The UK may consider taking advantage of Brexit to loosen data protection standards, and to not adopt the GDPR, thereby placing UK businesses at a competitive advantage, essentially having less red tape compared to companies located in other EU Member States. However, on balance, it is most likely that the UK will end up having to retain EU data protection law, and potentially also including the high standards contained in the GDPR. This was recognised in a recent statement by the ICO:
"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens."
The GDPR is a “text with EEA relevance” so, if the UK wants to join the European Economic Area, it will need to adopt the GDPR.
Alternatively, if the UK goes another route, including the most flexible 'World Trade Organisation' approach, UK businesses that deal with other EU countries will still need to comply with the GDPR. This stems from the GDPR’s expansive scope. The GDPR will apply to companies based outside the EU which offer goods or services to individuals located in the EU.
Finally, if the UK seeks an EU Commission adequacy decision to get over the data transfer issues as discussed below, it will need to comply with the GDPR. Despite the onerous GDPR compliance burden, the UK might still find itself deprived of some of the key advantages of the GDPR, namely an ability for multinational companies with significant operations in the UK to avail of the ‘one-stop-shop’ mechanism from the UK.
With the UK rescinding its EU membership, serious issues are likely to arise with respect to the free flow of data between the EU and the UK.
Coupled with the harmonisation of laws across the EU is the notion of “free movement” – here, the free movement of data within the EU. Conversely, however, Irish and EU data protection law prohibits transfers of personal data to countries that do not provide an “adequate” level of protection for personal data. Only a handful of countries are recognised as meeting this standard - Canada, New Zealand and Israel among them, as well as EEA members, like Norway. Transferring data to destinations other than these countries requires the EU party to rely on exceptions to the general prohibition, such as by using the EU Commission-approved Standard Contractual Clauses.
However, international data transfers are a fraught area at present. The Irish Data Protection Commissioner recently commenced proceedings in the Irish High Court seeking a referral to the CJEU and a declaration that the Standard Contractual Clauses are themselves in breach of the EU Charter, at least where used for transfers to the US. The results of litigation of this sort may make it more challenging to address data transfers between the EU and the UK, which in turn may present real challenges to UK trade.
As indicated above, the list of countries deemed to provide an “adequate” level of protection for personal data is short. If the UK does not join the EEA, it may ask the Commission to issue a decision finding that UK law is “adequate” for the purposes of international data transfers. However, this could give rise to four sets of difficulties:
First, such an adequacy decision could only be forthcoming if UK law was “essentially equivalent” to EU data protection law. This means that the UK would have to adopt the GDPR (see further above) while being deprived of some of its benefits.
Second, it is far from clear that there would be a political will to issue such an adequacy decision, which must be approved by member state representatives via a qualified majority vote.
Third, certain MEPs have already come out and said that they will campaign against the UK getting an adequacy decision as a result of its national security laws and online surveillance practices.
Fourth, we know from the recent CJEU decision in Schrems that data protection authorities (“DPAs”) in member states will still be able to block exports to countries despite them benefitting from an adequacy decision.
What does this all mean?
Generally speaking, it is likely to be business as usual for at least the coming 12-18 months. The UK’s exit period is expected to take up to 2 years, ending a few months after the GDPR comes into force. This tacks another pressing issue onto the UK’s already lengthy list of negotiation points. An optimist could view Brexit as heralding an era of flexibility and the possibility for the UK to leverage data protection laws to its competitive advantage. The unavoidable reality, however, is that the UK is likely to be significantly more constrained in its options, particularly if it hopes to remain a hub of financial and IT activity.
In many respects, the Leave vote can be seen as playing to Ireland’s advantage in respect of data protection. The Republic will soon be (barring Malta) the only English-speaking nation armed with all the EU benefits of free movement of goods, services, workers, capital and personal data. Under the GPDR, Ireland will also have the benefit of the ‘one-stop-shop’ mechanism. This somewhat reduces the risks of re-regulation of the same set of data processing activities by multiple EU DPAs. It will mean that businesses can structure themselves so as to only be subject to the supervision of a single data protection authority, such as the Irish DPC. This will be a significant advantage to multinational business under the GDPR but will not be available to businesses with their ‘main establishment’ in the UK as the concept is defined in the GDPR.