Data protection is currently regulated in the UK via the Data Protection Act 1998, being the UK implementation of the EU Data Protection Directive 1995. However, the data protection regulatory regime in Europe is in the process of being overhauled. A new European General Data Protection Regulation (GDPR) was approved and entered into force on 25 May 2016.
There is a two-year implementation period for the GDPR, meaning that it will not apply until 25 May 2018. The timing of the UK exit from the EU will therefore have significant consequences from a data protection legislative perspective. Despite initial uncertainty regarding the application of the GDPR in the UK as a result of the referendum, the UK Digital Minister Matt Hancock confirmed in a written statement in November 2016 that the GDPR will come into force in the UK in May 2018 despite the UK’s move towards Brexit. The confirmation followed a comment made by the Culture Secretary Karen Bradley in Parliament, where she stated “we will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public”.
The GDPR is a directly applicable Regulation not needing national implementing legislation. As a result, the current Data Protection Act is likely to be repealed in anticipation of the GDPR, meaning that a UK exit from Europe post-May 2018 may leave the UK having to take steps to adopt new data protection legislation when the GDPR falls away on exit. Many commentators anticipate that this will be dealt with initially by the Great Repeal Bill which would effectively adopt the GDPR as UK legislation. However, as with most things, the devil will be in the detail of this approach. The GDPR contains many references to, for example, the coordination of European data protection regulators. It is not clear how such provisions will apply to the UK and the UK’s data protection regulator post-Brexit.
As an alternative to the approach of the Great Repeal Bill, the UK’s exit from the EU has been viewed by some as an opportunity for data protection reform at a UK national level. A lot of the detail of the GDPR has been criticised in the past by both the UK Government and the Information Commissioner (the UK data protection regulator), as well as UK public listed companies. The UK exit from the EU could therefore leave the UK Government free to adopt a more business-friendly approach to data protection regulation going forward, without being constrained by EU law. However, there are two key issues which mean that it is in practice unlikely that the UK will want or be able to stray far from the principles of data protection set out in the GDPR.
First of all, depending upon the form of the new relationship with the EU, the UK may be required to adopt certain EU laws in any event, including data protection laws.
Secondly, the UK Government will want to ensure that the transfer of data to and from the UK is not restricted, as this could have a negative effect on UK business. In fact the Government has already stated that it is working “to make sure that we achieve a coherent data protection regime and that data flows within the EU are not interrupted after we leave”, a sentiment reiterated in the White Paper. As with the existing UK Data Protection Act 1998, the GDPR includes a provision prohibiting the transfer of personal data outside of the EEA unless adequate protections are in place. If the UK were no longer part of the EEA, as envisaged in the UK Government’s current plan for Brexit, the consequences of this prohibition could force UK organisations to adopt bilateral “model clauses” or other data protection compliance mechanisms in order for data to be able to be transferred to them in the UK from continuing EU Member States. Aside from being administratively burdensome, this is likely to also make UK organisations less attractive as commercial partners than organisations within Europe. In order to mitigate this risk, the Government may seek an “adequacy decision” from the European Commission, declaring that the UK is “adequate” for data protection purposes – an option mentioned in the White Paper. However, this will only be possible if the UK has in place data protection regulation that is essentially equivalent to the GDPR, meaning that any chance for a relaxation of data protection rules in the UK would be effectively lost.
In addition, the extra-territorial nature of the GDPR means that the Regulation will apply to organisations located outside the EU that offer goods and services to EU citizens or monitor their behaviour. Therefore post-Brexit, UK organisations will still need to comply with the GDPR when trading with the EU, although questions still remain regarding the effective enforceability of these new data protection obligations against non-EU data controllers.
Given the current importance of data in the global economy, the potential impact of Brexit on data protection is certainly not to be underestimated. Whilst the Government commits to seeking to preserve the stability of data transfer between EU Member States and the UK in its White Paper, it appears to recognise that this can only be achieved by working with the EU.