We consider what Brexit might mean for the UK’s data protection regime. Will UK business have to comply with the GDPR in any event?
The current UK data protection regime is enshrined in the Data Protection Act 1998 which enacted the EU Data Protection Directive (95/46/EC).
If we vote on 23 June 2016 to remain in the EU then the General Data Protection Regulation (GDPR), which seeks to harmonise and update data protection regimes across all EU member states, will automatically come into force sometime in 2018.
If we vote to leave the EU, we will have a two year negotiation period before we leave the EU to determine the UK’s relationship with the EU.
If the GDPR is enacted within the two year period then it may well automatically come into force in the UK before we leave the EU.
If the GDPR is not enacted by the end of the two year period, the GDPR will not automatically come into force and may not be adopted by the UK government. Given the UK’s relatively business friendly approach to data protection in the past it seems unlikely that it will want to apply some of the more onerous provisions in the GDPR if it can avoid them.
However, Britain’s membership of the European Economic Area (EEA) and/or World Trade Organisation, which will have to be decided in the two year negotiation period, will be an important factor in what we can and cannot do.
If we remain part of the European Economic Area (EEA) the UK will still have to comply with the Data Protection Directive. Additionally, the GDPR will have an immediate effect on UK-based companies, as a result of the four freedoms (goods, services, persons and capital) laid out in the Treaty of the Function of the European Union that are incorporated into the EEA Agreement.
If we do not remain part of the EEA, transfers of data to and from the UK would be allowed only if the European Commission considers us to be a “safe third country” as defined in the GDPR. It remains to be seen whether the UK will be categorised by the Commission as such and it may depend on any future revisions to the UK data protection law. If the UK is not categorised as a “safe third country”, company headquarters currently in the UK that process personal data from subsidiaries based in the EU may need to consider changes to the way that they process that data, which could be very burdensome indeed.
If we do not remain part of the EEA but retain membership of the World Trade Organisation (WTO) then the GDPR will have no direct effect on the UK and the UK will not be bound to the Data Protection Directive. The UK could then revise the Data Protection framework without any reference to the EU at all.
However, a key point is that the GDPR provides that any company offering goods or services to EU residents or monitoring the behaviour of EU residents will have to comply with it. This is a new provision which is designed to stop companies getting round EU legislation by processing data outside the EU/not having a physical presence in the EU. This means that there will be no escape for UK companies falling into this category.
So, whatever the outcome of the vote on 23 June 2016 it is clear that any UK business that has operations in the EU or relies on trade with any EU member states should review their existing compliance programmes and make sure that they can be updated and expanded as necessary to comply with the GDPR.