Whatever the outcome of the Brexit vote on 23 June, UK organisations face a period of significant legislative change in respect of data protection and cyber security laws. The cornerstone of the current regulatory regime (the Data Protection Act (DPA)) is based on laws written in 1995 when Google was 3 years from incorporation, Mark Zuckerberg was 11 and cloud computing in its infancy as compared to today. It is overdue a significant refresh.
A date for that refresh is already diarised for Friday 25th May 2018 – when the General Data Protection Regulation (GDPR) will come into force across the European Union (EU). The UK will also very likely shortly be committed to implementing the so-called Cyber Directive – the Network & Information Security (NIS) Directive – along with other EU Member States, most likely by Spring 2018. A new directive for the police and criminal justice sector has also been finalised and must be passed into EU Member State law by 6th May 2018.
So what would the data protection and cyber security law consequences be for the UK were it to vote to leave the EU in June 2016?
The first point to make is that the GDPR is due to apply less than two years after the Brexit vote will take place. That's significant because it means that the UK is very likely to experience life under the GDPR to some degree even if it votes to leave the EU. Under Article 50 of the Lisbon Treaty, the UK would have to serve notice of its intention to exit the EU and negotiate a withdrawal agreement. The UK Government has indicated its belief that a leave vote on 23 June 2016 would constitute such notice, but the position is not completely clear. Unless there were to be unanimous agreement to the contrary, the earliest that any withdrawal agreement would take effect under Article 50 is two years from service of notice of the UK's desire to Brexit.
So unless withdrawal arrangements can be negotiated and unanimously agreed in less than the 2 year period mentioned in Article 50, the GDPR will apply in the UK on 25th May 2018.
The GDPR's 'long arm' approach to jurisdiction
The second point to note is that even if the overlap between the UK's EU membership and the application of the GDPR in the UK were to be short lived, any UK business which trades in the EU will have to comply with the GDPR from May 2018.
That's because the GDPR's many obligations will apply to organisations which are established in the EU or which process personal data of EU citizens in connection with the offer of goods or services, or the "monitoring" their behaviour within the EU (most likely including many on-line behavioural marketing activities). So the substantial fines which the GDPR will usher in could be imposed by data protection regulatory authorities across the EU upon a UK company which did not comply with the GDPR. In many cases fines equivalent to the greater of 4% of worldwide turnover or €20m can be imposed under the GDPR.
So any UK business which has a group company or staff operating within the EU or which operates a website which targets EU citizens is highly likely to have to comply with the GDPR's provisions. Likewise the amendments to the e-Privacy Directive when they are finalised in due course.
The UK's post-Brexit options and 'adequacy'
The most obvious post-Brexit options for the UK for interacting and trading with the EU are particularly interesting when looked through a data protection law lens
The European Free Trade Association (EFTA) model: often referred to as the Norwegian model, if it took this route, the UK would remain a party to the European Economic Area (EEA) Agreement. It would therefore benefit from free trade arrangements and be included in the EU single market but would have to commit to comply with certain fundamental EU rules and restrictions. For Norway, Iceland and Lichtenstein (the current non-EU members of the EEA) this currently means that they have each implemented the Data Protection Directive and the e-Privacy Directive into their respective local laws. It seems unlikely that the UK would be able to avoid accepting the GDPR as is if this post-Brexit option were adopted.
The Swiss model: Switzerland is not a member of the EEA but is a member of the EFTA. It accesses the EU single market via a regularly updated bilateral agreement. Switzerland has its own data protection laws which look and feel very similar to the laws of an EU Member State which has implemented the Data Protection Directive. Indeed Switzerland's laws have been recognised as "adequate" by the European Commission (EC) – i.e. adequately protective of the rights of EU citizens thereby enabling transfers of personal data from EU data controllers to Swiss based importers to legitimately take place. It remains to be seen whether, when and how Switzerland will update its current data protection laws to mirror the GDPR to ensure that its 'adequacy' decision is not revoked by the EC after the GDPR comes into force.
The 'go it alone' model: the UK could seek to strike deals with the EU independently or via collective organisations such as the WTO (i.e. following the approach currently adopted by countries such as Canada and the USA.) If it did so then, on the face of it, it would have free rein to choose the form of data protection laws which it introduced to update the DPA. However, recent history tells us that, when it comes to the question of data transfers, EU law makers and regulators take an extremely dim view of countries which do not adopt EU strength data protection laws. The current stand-off with the USA in respect of the now invalid Safe Harbor data sharing arrangement is a case in point. The UK economy, in particular its financial services sector, relies on an ability for data to be freely transferred to and from the UK.
Were the UK to Brexit and then not upgrade its data protection laws to a GDPR level standard, the question would inevitably arise soon after the GDPR's 25th May 2018 introduction whether the UK laws offer data protection 'adequacy'. The answer would almost certainly be that they do not. That would put the UK in the position of having to adopt either EU strength data protection laws (to join countries such as Canada as benefiting from an adequacy decision), or an EC approved data compliance system (as the USA is currently seeking to do via the EU-US Privacy Shield) if it wanted to avoid inconveniencing UK businesses - by forcing them to adopt other adequacy mechanisms, such as the EC's standard contractual clauses, every time they received data from the EU. Historic criticism of the UK's security services in the context of the revelations made by Edward Snowden would very likely be raised by the EC as well as EU based data protection regulators in the context of any future discussion regarding UK 'adequacy'.
Looking at each of these options it is hard not to reach the conclusion that, whatever the outcome of the Brexit vote, it seems likely that either the GDPR or a law that looks very like it would be required in the UK after 25th May 2018.
A word about the NIS Directive
If the UK Brexited it would no longer be forced to adopt EU laws, including adopting EU Directives into our national law. This would include the NIS Directive which, absent a Brexit, would otherwise be expected to give rise to the UK Cybersecurity Act 2018.
The sense of a decision not to adopt the directive or a near clone of it into UK legislation would be questionable. Even if wearing the most staunchly nationalist pro Brexit hat it is hard to identify much of the NIS Directive that doesn’t make plain common sense. Clearly the elements of the directive that address a global European approach to minimum capacity building and planning requirements, exchange of information, cooperation and common security requirements would need to be reconsidered but the obvious benefits of commonality of approach to the global threat to cybersecurity would be a spur to find ways to voluntarily lock into the EU adopted NIS Directive regime.
Given that in the event of a Brexit the UK will no doubt wish to continue to trade with the EU closely comparable law in many areas will be necessary to avoid barriers to trade. A symbiotic UK Cybersecurity Act is highly likely to be in one of those areas.
This article is part of our Brexit series.