After 4 years of negotiations the new General Data Protection Regulation ("GDPR") was finalised in December 2015, it was published in the official journal of the European Union in early May 2016 and following a 2 year implementation period it will be applicable across all member states from 25 May 2018.
Following the UK's decision to leave the European Union there are now questions around what approach the UK will take will take to data protection moving forward.
Even if the UK does not implement the GDPR we will need to have a data protection law that is equivalent to the GDPR, so our advice to clients is to continue to prepare for the GDPR .
Our experienced data protection lawyers are continuing to assist clients to prepare for the GDPR whilst at the same time maintaining contact with the Information Commissioners Office ("ICO") to stay abreast of their discussions with government during this uncertain period.
Following confirmation of the UK's vote to Brexit the ICO issued the following statement:
"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary".
Whilst the ICO is not responsible for determining what legislation governs data protection, it is clear that its preference is for data protection in the UK to stay aligned with data protection in the European Union.
Data protection during Brexit negotiations?
It's important to remember that, despite the UK's vote to Brexit, the Data Protection Act 1998 will continue to govern data protection until the earlier of Brexit or 28 May 2018.
As we all know by now the UK is required, under Article 50 of the Lisbon Treaty, to serve notice of its intention to leave the European Union and from that point there will be a period of two years to negotiate the terms of Brexit. There is some legal debate about how Article 50 will be triggered but it is unlikely that anything will happen until there is a new Prime Minister in place in early September.
As a result, no matter what happens, it is very likely that the UK will still be part of the European Union when the GDPR becomes applicable.
Extended territorial scope
Organisations that are located outside of the European Union will be subject to the GDPR where they process personal data about European individuals in connection with: offering of goods and services; or monitoring their behaviour within the EU.
So no matter what option the government takes it is clear that any UK business looking to trade with the European Union will need to comply with the GDPR despite Brexit. Another consequence of Brexit is that any UK company caught by the GDPR, post Brexit, will need to appoint a representative within one of the remaining 27 member states.
What are the options?
As I have said it is quite likely that the UK will still be part of the European Union on 28 May 2018 so UK organisations that process personal data will need to prepare for the GDPR. In previous updates we have highlighted that 2 years is not a long time to prepare for the complete overhaul of data protection regulation that is the GDPR.
There are three main options for the UK post Brexit:
- The Norwegian approach - If the UK decides to be a party to the EEA Agreement the UK will have to comply with certain fundamental European Union laws in order to access the free market. The existing non-EU members of the EEA have implemented the Data Protection Directive into their domestic legislation and will replace this with the GDPR over the next 2 years.
- The Swiss approach - Switzerland, whilst being part of the European Free Trade Association, is not a member of the EEA. Switzerland has a standalone data protection regime however Switzerland is one of very few jurisdictions that the European Commission has found to have adequate data protection legislation. This means that data can move freely between the European Union and Switzerland without the need for any additional protections.
- An independent UK approach - If the UK decides to take its own approach and negotiate its own trade deal with the EU, then the UK could decide to repeal the current data protection regime and implement its own data protection legislation. When we see the difficulty that the USA is having following the collapse of "Safe-Harbour" and the subsequent disagreements around its proposed replacement "Privacy Shield", it is unlikely that the UK will want to end up in a situation where the data flows between the UK and EU are restricted. The approach taken by the UK under the Data Protection Act 1998 has often been criticised by other member states who think that the UK has not adequately implemented the existing Data Protection Directive. It is important that data transfers between the UK and EU are central to whatever approach the UK decides to adopt.
It is also worth noting that the ICO currently has a seat at the Article 29 Working Party table. The Article 29 Working Party is a body made up of the member states data protection regulators. Under the GDPR the Article 29 Working Party will become the European Data Protection Board which will be responsible for overseeing data protection compliance across the EU.
As a consequence of Brexit the ICO will lose it position within the European Data Protection Board, if the UK takes the Norwegian approach the ICO will be able to continue attending these meetings but it will not have any influence.
Until we actually Brexit the ICO will continue to tray and shape opinions and approaches with the EU however it is likely that the ICO's influence will becoming increasingly redundant as we approach Brexit.
What should you do now?
It is apparent that, despite Brexit, the UK will want to continue to trade with the European Union, so it will therefore be essential that there are no restrictions on the transfer of personal data between the EU and the UK.
Organisations need to continue preparing for the GDPR as it will take 2 years to prepare for a lot of the changes that are being introduced by the GDPR, including (for the first time) statutory obligations on data processors; new breach reporting obligations; contractual requirements and increased levels of liability.