On 23 June, the UK voted to leave the EU. But what does this mean for data protection risk for businesses operating in the UK or using the UK as their "gateway" to Europe or elsewhere?
The basics: a bluffers' guide
The UK joined the European Economic Community (the forerunner of the EU) in 1973. In 1975, there was a referendum in which 65 per cent of the population voted to stay in the EEC. Since then the EEC has evolved into the European Union. In the recent referendum, 51.9 per cent of the UK voted to leave the EU.
The referendum is not binding on the UK Parliament but there is little appetite among MPs to ignore the democratic mandate. It is now up to the UK to trigger the withdrawal procedure under Article 50 of the Lisbon Treaty. This gives the UK and remaining EU members a period of up to two years to negotiate the UK's exit. At present, there is little clarity on the shape of the UK's future relationship with the EU after Brexit in two years' time. This is creating uncertainty as to what "out" actually amounts to in legal terms. These details will be worked out following the appointment of a new Prime Minister (at this stage, it looks as if this may be the Home Secretary, Theresa May) in September.
What happens to data protection now?
There is no change to UK data protection law or the powers of the UK Information Commissioner's Office. So, if you have operations in the UK or host data here, all the usual rules apply (e.g. duties to register, comply with individual rights and pay compensation, comply with the rules on transparency, proportionality, data retention, security and data exports). The ICO continues as the UK's supervisory authority with its enforcement powers.
What happens in the future?
The UK is very unlikely to repeal the current DP laws. The real question is whether we will upgrade to the rules contained in the new General Data Protection Regulation (GDPR). GDPR will impose a raft of new requirements on data controllers and (for the first time) data processors. This includes duties to implement policies, procedures and controls to manage privacy risk, appoint a data protection officer, a series of new individual rights and penalties of up to four per cent of worldwide turnover. It is likely that the UK will implement GDPR compliance requirements.
Here are the main options:
- The EEA option: the UK joins the European Economic Area, which comprises the EU plus Norway, Iceland and Liechtenstein. In this case, the UK is legally required to implement the equivalent of EU law including data protection.
- The Swiss option: the UK signs bilateral trade deals with the EU and accepts duties to apply the equivalent of EU law including data protection.
- The WTO option: the UK signs an independent trade deal without accepting duties to apply the equivalent of EU law. However, there would be a strong commercial incentive on the UK to apply GDPR-type obligations to business to ensure the UK remains an "adequate" jurisdiction for the purposes of receiving data from other jurisdictions which apply EU (or similar) data protection laws.
It will be in the UK's interests to ensure that "adequacy status" is part of the Brexit negotiation with the EU. There is a potential risk of a Schrems-type challenge in the interim. If there was a delay to adequacy, business could plug any gaps, most likely using model contracts or BCRs. These could also underpin the UK's ability to receive data from other non-EU jurisdictions which apply EU-style data protection law (e.g. Argentina, Mexico, Malaysia and Singapore). If a company implements a compliance programme based on a GDPR benchmark, this would also provide informal assurance for adequacy of transfer of data into the UK from overseas.
Does this affect duties to comply with privacy laws elsewhere?
No. International business must still comply with all applicable data protection law. In addition, the GDPR will apply with extra territorial effect where you supply goods and services to EU residents or monitor their behaviour (e.g. online) from any non-EU location. So the GDPR tentacles will stretch to the UK regardless of the shape of its relationship with the EU for any business directing services at the EU residents.
Where does this leave the ICO?
There is no change at present. The ICO continues as the UK's supervisory authority. The ICO has also published a statement indicating the UK will continue to need clear and effective data protection law and makes the point that it has a history of providing protection for consumers for their personal data. The ICO's precise role will depend on whether the UK is in the EEA or not. There is clearly a risk that we lose one of the more moderate and pragmatic voices at the EU regulatory top table.
We expect the main debate in the coming months to be on the shape of the UK's relationship with the EU. Dentons will be tracking this and reporting on the impact on data protection. But we do recommend that organisations continue working towards GDPR implementation as the requirements are now finalised with a legal deadline which is less than 24 months away.