The current regime: the Data Protection Act 1998
The Data Protection Act 1998 (DPA) (the UK implementation of the Data Protection Directive 95/46/EC) provides the legal safeguards for the protection of privacy of individuals and covers how individuals' data can be lawfully collected and processed. The DPA will, for the time being, remain the law in relation to data protection; this is not changing as a result of the vote to leave.
The new regime: the GDPR
The GDPR will replace the Data Protection Directive from 25 May 2018 and unless Brexit negotiations between the UK and the EU are finalised before then, it is very likely that the UK will experience life under the GDPR.
After the UK leaves the EU, the GDPR will cease to apply. However the reality for any UK business trading with the EU is that compliance with the GDPR will be necessary irrespective of the terms on which the UK leaves the EU. This is because one of the many changes under the GDPR is that the GDPR will apply whenever EU residents’ personal data is processed in connection with the offer of goods or services or monitoring of behaviour within the EU. This will apply even if the organisation processing such data has no physical presence in the EU.
There are a number of models for data protection reform post-Brexit and the ICO, in its statement of 28 June 2016, has already stated that it “will be speaking to government to present [its] view that reform of the UK law remains necessary”
What the data protection regime will ultimately look like will, in part, depend on the deal that is struck with the EU on the terms of the UK’s exit.
- If the UK remains a party to the European Economic Area (EEA) Agreement (and becomes a member of the European Free Trade Association (EFTA)) it will continue to have access to the EU single market. The EEA Agreement provides for the inclusion of EU legislation covering the four freedoms – the free movement of goods, services, persons and capital – throughout the EEA. Consequentially, like the existing non-EU members of the EEA which have all implemented the Data Protection Directive into local law, the UK would most likely have to accept the GDPR.
- If the UK opts to join EFTA but no longer remains a party to the EEA (like Switzerland) then the UK would have to be able to demonstrate 'adequacy' (ie the UK would have to be able to demonstrate equivalence with the GDPR). At this early stage, using the GDPR as an example on which to base national law appears the most suitable route map to achieving ‘adequacy’ and demonstrating parity with the EU data protection regime.
- If there is no free trade agreement then the UK would have the freedom to revise its data protection regime and deviate from the standards set by the Data Protection Directive and subsequently, the GDPR. This is likely to be a more difficult option and recent experience (e.g. safe harbor) has demonstrated the tumultuous relationship between third countries and the EU where those countries do not offer protection to EU data subjects comparable to that set out in EU legislation.
What do you need to do?
For now, maintain compliance with the DPA and continue to prepare for the GDPR; compliance with the GDPR is likely to be the best preparation for the UK’s new regime, whatever that may look like.