Data protection is currently regulated in the UK via the Data Protection Act 1998, being the UK implementation of the EU Data Protection Directive 1995. However, the data protection regulatory regime in Europe is in the process of being overhauled. A new European General Data Protection Regulation (GDPR) was approved and published in the Official Journal on 4 May 2016 and entered into force on 25 May 2016.
There is a two year implementation period for the GDPR, meaning that it will not apply until 25 May 2018. The timing of any UK exit from the EU would therefore have significant consequences from a data protection legislative perspective. The two year notice period required for an exit means that the GDPR would be in effect in the UK at the time of exit. The GDPR is a directly applicable Regulation not needing national implementing legislation. As a result, the current Data Protection Act is likely to be repealed in anticipation of the GDPR, meaning that a UK exit from Europe post-May 2018 would leave the UK having to move quickly to adopt new data protection legislation. The GDPR would fall away and, if it didn't move quickly, the UK would be left without any form of data protection regulatory regime.
This potential regulatory gap has been viewed by some as an opportunity for data protection reform at a UK national level. A lot of the detail of the GDPR has been criticised in the past by both the UK Government and the Information Commissioner (the UK data protection regulator), as well as UK public listed companies. A UK exit from the EU could therefore leave the UK Government free to adopt a more business-friendly approach to data protection regulation going forward, without being constrained by EU law.
However, there are two key issues which mean that it is in practice unlikely that the UK will want or be able to stray far from the principles of data protection set out in the GDPR.
First of all, depending upon the form of Brexit undertaken, the UK may be required to adopt certain EU laws anyway, including data protection laws. For example, if the UK joins the EEA, it will be required to have in place data protection laws equivalent to the GDPR.
Secondly, the UK Government will want to ensure that the transfer of data to and from the UK is not restricted, as this could have a negative effect on UK business. The GDPR includes a provision prohibiting the transfer of personal data outside of the EEA unless adequate protections are in place. If the UK were no longer part of the EEA, the consequences of this prohibition could force UK organisations to adopt bilateral “model clauses” or other data protection compliance mechanisms in order for data to be able to be transferred to them in the UK from other EU Member States. Aside from being administratively burdensome, this is likely to also make UK organisations less attractive as commercial partners than organisations within Europe. In order to mitigate this risk, the Government may seek an “adequacy decision” from the European Commission, declaring that the UK is “adequate” for data protection purposes. However, this will only be possible if the UK has in place data protection regulation that is essentially equivalent to the GDPR, meaning that any chance for a relaxation of data protection rules in the UK would be effectively lost.
Given the current importance of data in the global economy, the potential impact of Brexit on data protection is certainly not to be underestimated.