Immediately following Brexit, the vast majority of data privacy and public access to information laws in the UK will continue unchanged. Some laws are purely UK with no EU foundation, such as Freedom of Information legislation. Other laws are already UK domestic laws and regulations (although they implement EU obligations). Also many EU concepts, even without being captured by UK domestic statute or regulation, are embedded into the UK body of law via case law. Changes to such laws (especially major changes) are unlikely and would need to be put into effect by new UK legislation.

The more challenging area is EU regulations, which may fall away, depending upon the repeal or amendment of the ECA. The new General Data Protection Regulation (“GDPR”) falls into this category. Practically, the UK will need to meet those higher EU personal data protection standards as otherwise personal data flows from the EU to the UK (assuming it is outside the EEA), will struggle to meet the ‘adequate safeguard’ standard required for those data transfers to be lawful in the EU.

In any event, UK businesses targeting or monitoring sales activity from the UK towards EU citizens will be directly subject to GDPR with its new extra-territorial reach, whether or not the UK retains GDPR-like legislation. It is, therefore, very likely that the UK will adopt legislation to impose all or most GDPR obligations domestically in the UK despite any Brexit. It is of note that the UK’s Information Commissioner is encouraging businesses and organisations to prepare for GDPR regardless of Brexit.

For more detail, please see our articles on 'Brexit: the impact on General Data Protection Regulation and Privacy' and 'Privacy and information law in the UK - What to expect if the UK leaves the EU'.