Even with the UK leaving the EU, the data protection laws that will apply in the UK following Brexit are likely to either be the forthcoming General Data Protection Regulation (“GDPR”), or something equivalent to the GDPR, depending on the relationship model adopted by the UK and EU post Brexit. Consequently, UK businesses would be wise to plan now for having to comply with the GDPR, or an equivalent regime, in 2018.
This article explores the effect of the result of the EU referendum on the data protection laws that are likely to apply in the UK immediately before the UK’s exit from the EU and afterwards.
The General Data Protection Regulation
The GDPR was formally adopted on 4 May 2016 and is set to replace most EU data protection legislation, including the current data protection Directive and associated implementing national legislation.
Unlike the current Directive, the GDPR (as a consequence of being a European Regulation) will be directly applicable in all EU Member States without the need for national legislation. It will apply from 25 May 2018.
The effect of the EU referendum on the GDPR in the UK
On 23 June 2016, the people of the UK voted for the UK to leave the European Union. To actually leave, the UK will, pursuant to Article 50 of the Treaty on European Union, need to notify the European Council that the UK intends to withdraw from the EU (the “Article 50 Notice”). Following such notification, the EU shall negotiate and attempt to conclude an agreement with the UK, setting out the arrangements for the UK’s withdrawal (the “Withdrawal Agreement”).
The EU treaties, and with them membership of the EU, shall cease to apply to the UK from the date of entry into force of the Withdrawal Agreement or, failing that, two years after the date of the Article 50 Notice, unless the European Council and the UK decide to extend this period.
Given the complexities of leaving the EU, it is quite probable that the UK will need the full two years (and potentially longer if it can be agreed with the European Council) after the date of the Article 50 Notice to leave the EU. Thus, unless action is taken to prevent the GDPR applying directly in the UK, it is likely that the GDPR will be the incumbent primary data protection legislation in the UK prior to the UK leaving the EU. The probability of this being the case increases the longer the UK takes to serve the Article 50 Notice.
What happens after the UK actually leaves the EU?
The data protection regime that will apply in the UK after the UK actually leaves the EU will depend on which route the UK takes post Brexit. From a data protection perspective, there are broadly two scenarios to consider:
- Continued membership of the EEA: If the UK continues to be a contracting party to the EEA Agreement post-Brexit and thus a member of the European Economic Area (“EEA”), the GDPR, being a legal act marked by the EU as relevant to the EEA, will apply to the UK as it would other non-EU signatories to the EEA Agreement (i.e. Norway, Iceland and Liechtenstein).
- UK outside the EEA: If the UK is not a member of the EEA post Brexit, the GDPR would not directly apply to the UK. The UK would, at least technically, be free to choose whatever data protection regime it liked. However, for the reasons set out below, the UK is likely to want to implement a regime that is equivalent to the GDPR.
Equivalence to the GDPR - Transfers of personal data from the EU
The GDPR, like the current Directive, provides that personal data should not be transferred to a country outside the EEA unless there is an “adequate level of protection” or an exemption applies. Unless data privacy is to become a barrier to trade with the EU, the UK will want the European Commission to decide that the UK “ensures an adequate level of protection”. Practically, this would require the UK to either opt for a data protection regime that is identical to the GDPR or, if not identical, is equivalent to that of the GDPR. Given the extent and previous intensity of European debate around the GDPR, it seems unlikely that the UK will have the appetite to reopen the debate and seek to reach an equivalent regime for European approval (with an inherent risk of future challenge), but is more likely to opt for the GDPR itself.
Other alternative data transfer “mechanisms”, for example an agreement akin to the “Privacy Shield” that is currently being negotiated with the US for US-EU personal data transfers, the use of standard contractual (model) clauses, the implementation by organisations of binding corporate rules, or reliance on certain exemptions may be time-consuming, cumbersome and/or costly to implement and may not give the necessary compliance with the GDPR in all data transfer scenarios.
Jurisdictional reach of the GDPR
The GDPR casts a wide jurisdictional net and covers not only EU established organisations, but also any organisations that are established outside of the EU but have processing activities related to the offering of goods or services to individuals in the EU, or monitoring the behaviour of individuals in the EU. These organisations will be subject to the GDPR and will be required to appoint an EU-based representative. Although it is not yet clear what enforcement would look like, the GDPR has the potential to reach into the UK even after the UK has left the EU.
Given the importance of moving data around the globe, including from the EU to the UK and beyond, and the jurisdictional reach of the GDPR, it is likely that UK organisations will have to comply with UK data protection legislation that is at least equivalent to the GDPR, if not the GDPR itself. Organisations would therefore be advised to continue planning for the GDPR as the need to comply with such a regime appears increasingly likely. Meanwhile, the wider debate around activation of the Article 50 Notice continues.
The CMS data protection team provides expert advice on all information security and privacy matters. We regularly provide advice and training to clients on data protection compliance.