When will it be known if the UK will leave the UK?
A referendum on whether the UK should leave or remain within the EU will take place on 23 June 2016. This has become known as `Brexit', an abbreviation for British exit from the EU
In the event of a UK vote to leave the EU, it not absolutely clear what would happen and when. The most likely reaction will be that the UK will give notice to leave the UK, using the procedure set out in Article 50 of the Treaty on European Union. Views about when notice to leave may be given vary, ranging from 24 June 2016 through to sometime in 2018.
When would the UK leave the EU following a Brexit vote?
Serving notice to leave the EU triggers the need to agree withdrawal terms with the EU and hopefully negotiations would at the same time agree how the new UKEU relationship would operate. Under Article 50, the UK would leave the EU on the sooner of agreeing terms and the expiry of two years from giving notice to leave, although if all agree, the period may be extended. Agreeing terms with the EU will probably take more than two years, so depending on when notice to leave was given, the UK would probably leave the EU sometime between summer 2018 and 2020.
It will be important to understand the implications of leaving the EU in order for to set appropriate strategies and make plans for the future.
How does EU law fit with UK law?
There are broadly two different types of EU law.
- Indirect EU laws, such as EU directives, normally need to be implemented by domestic UK legislation, whether statutes (Acts of Parliament which are primary legislation), or statutory instruments (regulations which are secondary legislation) to become applicable and enforceable in the UK. Those domestic UK laws will be unaffected by Brexit and will continue unless and to the extent the UK Parliament repeals or amends them.
- Direct EU laws, such as EU regulations, apply directly in the UK without the need to be implemented by UK domestic legislation. These EU laws will potentially be most affected by Brexit. They will automatically fall away and cease to apply to the UK if the UK leaves the EU, unless and to the extent the UK Parliament legislates otherwise.
The UK courts have confirmed that UK law must be interpreted in compliance with EU laws. Judgments of UK courts and judgments of the Court of Justice of the European Union (CJEU) on such EU laws are relevant and binding in the UK. Even though not codified by legislation, those decisions form part of the UK's body of law.
The EU also has its Charter of Fundamental Rights, with rights to privacy, the protection of personal data and access to information. Despite Protocol 30, intended to prevent those rights becoming exercisable in the UK, UK courts have made decisions based on those fundamental rights, which as a result now form part of the UK's law.
So how much privacy and information law is derived from the EU?
Not all of the UK's privacy and information laws flow from the EU. For instance, the Freedom of Information Act 2000 and its Scottish equivalent legislation are purely domestic creations. As such, they will remain unaffected by any UK departure from the EU.
Most other laws in this field do flow from the EU. However, the majority are indirect EU laws, such as the public access to environmental information directive 2003/4/EC, implemented in the UK by the Environmental Information Regulations 2004 and their Scottish equivalent (EIR). Unless and to the extent that the UK Parliament decides otherwise, the EIR and similar legislation will remain as is notwithstanding any UK exit from the EU.
The glaring exception is the impending EU wide General Data Protection Regulation (GDPR) which will come into force in the UK, as in all other EU member states, on 25 May 2018 before the UK can leave the EU. As a direct EU law, GDPR would then later automatically fall away in the UK on any departure from the EU.
What will be the impact of proposed deregulation following Brexit?
Privacy and public access to information laws can trigger polarised views about their benefit, whether or not they should be retained and to what extent. This is particularly the case in the context of arguments to remove or trim such laws to aid businesses and their competitiveness by reducing what some see as unnecessary "red tape". Many sectors in the UK have for instance raised concerns about the potential impact of GDPR on them during its negotiation over recent years.
What will be the pressures to retain such EU laws?
Proposals to sweep away or strip back such laws are likely to face challenges from individuals and pressure groups who believe in the fundamental importance of the relevant legislation and who have become accustomed to exercising their rights under such laws. For instance, the right of an individual under data protection legislation to understand what is happening with their own personal information; or the right of a pressure group to obtain vital data from public authorities about the impact of activities on the environment.
Even if GDPR and similar laws were allowed to lapse on any EU exit, GDPR would continue to apply to those UK businesses offering goods and services to, or monitoring behaviour of, individuals in the EU from the UK. This would be as a result of the new extra-territorial scope provisions in GDPR, extending its impact beyond EU territory.
Politically, it would not be an attractive option to allow these laws to simply fall away, leaving nothing in their place, such as trying to explain to UK citizens why overnight their personal information is no longer worthy of protection especially compared to the protections afforded to individuals who remain EU citizens.
Economically, allowing such a lacuna to form would also not be recommended. To be an attractive trading partner and investment opportunity, the UK must be able to demonstrate the growing international expectation for respect and protection for personal information and the wider the gulf between standards in the UK and other regions like the EU, the harder that will become. Unless agreed otherwise before any EU departure, which seems unlikely, if the UK left the EU, it would also cease to be part of the European Economic Area (EEA). That would mean that all flows of personal data across the border from the EEA to the UK would no longer be lawful and additional steps would be required to ensure they were made with "adequate safeguard", such as by using European Model Clauses. The UK is likely to want to be urgently recognised by the Commission as having domestic data protection laws which ensure adequate safeguard for personal information to minimise disruption. To do so, the UK will be under pressure not only to have data protection laws but to maintain the expected upgrade to current laws to be delivered by GDPR. For more details, please see our separate GDPR and Brexit briefing on our GDPR hub.
What is the likely outcome on privacy and information laws if the UK leaves the EU?
It is anticipated that as a result of these pressures and to minimise the confusion and disruption that an overnight gap in legislation would create, the UK would enact domestic legislation to adopt relevant direct EU laws, like GDPR, into domestic UK law. This would counteract the automatic falling away of GDPR which would otherwise result from UK departure from the EU.
So, at least in the short to medium term, GDPR would probably continue to apply in the UK following Brexit. Over time, the UK may re-assess legislation originating in the EU which has been retained, removing any aspects which it believes are "gold plated" or adjusting provisions or their interpretation to better suit the UK. By way of example, the UK Parliament may choose to grasp the more challenging aspects of EIR compliance, such as clarifying the scope of "environmental information" and permitting a Government power of veto even in EIR cases. It is not anticipated that the UK would completely remove the EIR it must still comply with its obligations under the Aarhus Convention, so some legislation on public access to environmental information will be necessary. Difficulties may arise in the event that, especially in the longer term, the UK decides to diverge from the previous EU provisions, for example in respect of GDPR, and create its own solution, for instance, still meeting GDPR-like standards but with different requirements and approaches to achieve them.
Notwithstanding the changes, many international businesses are likely to adopt and apply full GDPR compliance standards across all their operations, including in the UK, for expediency. It is worth noting that despite GDPR harmonisation, local advice and approaches will remain important as businesses will still need to comply with permitted local GDPR differences as well as related local laws, such as in respect of telecommunications and data retention.
Decisions on data protection and information laws in the EU prior to any Brexit will remain binding in the UK, even post Brexit (unless and to the extent the UK Parliament legislated to prevent that effect, which would be unlikely). Even decisions of the CJEU following any Brexit may continue to impact the UK, having a persuasive value which may be taken into account by the ICO or UK courts and tribunals.
By way of reminder, any departure from the EU will have no automatic effect on the UK's membership of the Council of Europe, obligations to comply with the European Convention on Human Rights and to follow decisions on human rights by the European Court of Human Rights. These will remain an important element of privacy and information law compliance in the UK, especially in respect of public interest and proportionality deliberations.