The outcome of the UK's referendum on its membership of the European Union has left many organisations unclear about the future landscape for data protection.
At the launch of its annual report on 28th June, the Information Commissioner's Office advised that its view is that reform of UK data protection law remains necessary. Over the coming weeks, the ICO will be discussing Brexit and its impact on the data protection law with the UK government, making the case for higher standards than those currently imposed by the UK Data Protection Act, to be imposed in the future in any event.
Although Christopher Graham, speaking at his final engagement as the UK's Information Commissioner, was reluctant to opine on the "what ifs" of Brexit, in our view, it would seem unlikely that the UK Government, acting on the advice of the ICO, would start from scratch in drafting a new data protection law. Despite the vote for Brexit, it would seem prudent for organisations to continue to prepare for and implement the European General Data Protection Regulation (GDPR).
It's all in the timing
The GDPR will come into force on 25th May 2018; before the UK's likely withdrawal from the EU. Importantly, as a European Regulation, the GDPR has direct effect in UK law without the need for separate legislation by the UK Government. Since Brexit seems unlikely to have effect until October 2018 at the earliest, this means that all UK organisations will need to comply with the requirements of the GDPR for around 5 months at the very least.
Following Brexit, whenever that may occur, while the GDPR will cease to have effect under UK law, many organisations in the UK will still find themselves caught by and bound to comply with its requirements. This is because the GDPR applies to any organisation, whether located inside or outside the EU, if that organisation:
- offers good or services to EU citizens; or
- monitors the behaviour of EU citizens.
This will mean that many UK organisations will need to comply with the GDPR post Brexit if they have any dealings with EU citizens.
Adequacy of the UK regime
Those organisations not caught directly by the extra-territorial effect of the GDPR are likely to find themselves subject to similar, if not identical, national legislation implemented in the UK due to the restrictions placed on international transfers by the GDPR. If Brexit also represents the UK leaving the European Economic Area, transfers of personal data to the UK will amount to a transfer outside the EEA and will therefore only be permissible if the level of data protection in the UK is regarded as being "adequate".
The UK will undoubtedly want to be deemed an "adequate" jurisdiction by the European Commission, meaning that the UK will have to offer a level of data protection comparable to that offered by the GDPR. It is unlikely that the UK is going to want to start drafting a new data protection law, especially during a time when there will be so many other demands on parliamentary time, only to face the uncertainly of placing it before the European Commission for an assessment of its adequacy. More efficiently and, in our view, more likely, is that the UK will simply adopt the GDPR, a text which it had significant input on.
In addition, as noted above, because of the extra-territorial effect of the GDPR, UK organisations which deal with EU citizens post-Brexit would have to comply with the GDPR in any event. It would therefore be distinctly unhelpful it they were required to comply with a materially different, and perhaps even contradictory, UK regime at the same time.
The GDPR is dead; long live the GDPR!
Our expectation is therefore that the GDPR will live on in some form under UK law even following a Brexit. As a stop-gap, that may be by the Westminster parliament legislating to the effect that the GDPR itself will continue to have effect in the UK in the same way as it did immediately before Brexit. In time, a new Data Protection Act could then be drafted and enacted replicating the terms of the GDPR in the more familiar style of conventional UK legislation. In any event, the effect will be the same: the material provisions of the GDPR will survive Brexit.
Our advice remains that the most high risk strategy would be to sit back and wait and see what happens with Brexit and the GDPR. We would urge clients to continue with their compliance programmes, on the assumption that the GDPR will have full force and effect from 25th May 2018. In fact, we have spoken to a number of our clients over the past few days and feedback has been clear; preparations for the GDPR continue full steam ahead!