There are many uncertainties ahead and it will be some time before we start to have an appreciation of how precisely Brexit will impact on domestic laws relating to data protection. However, in the meantime, as the ICO has helpfully pointed out, one certainty is that “the Data Protection Act remains the law of the land irrespective of the referendum result”. Another certainty is that the General Data Protection Regulation (GDPR) will become law on May 25, 2018.
WHERE ARE WE NOW?
Although the UK has chosen to leave the EU, until it ceases to be a member we will remain fully subject to EU laws and so continue to be subject to the same data protection regime as the rest of the EU.
UK businesses which offer services into the EU, or whose data processing activities otherwise fall within the wide jurisdictional scope of EU data protection laws, will still need to have a complete understanding of the Regulation and how compliance with the Regulation is to be achieved.
This means that businesses still need to undertake their GDPR readiness preparations. When it comes into effect, the GDPR will apply to every business – whether in the EU or not – that offers goods and services to EU citizens or that monitors EU citizens’ behaviour. UK businesses selling into the EU will therefore still be subject to GDPR requirements, as will wider international businesses operating across the UK and the EU. The UK’s leaving the EU won’t change this.
WHAT COULD HAPPEN?
The UK could join Norway Lichtenstein and Iceland in the European Economic Area, (EEA). Members of the EEA enjoy free trade with the EU on condition that they submit themselves to EU laws, meaning the UK will be subject to the GDPR when it comes into effect.
If the UK leaves the EEA, the UK will either not be subject to the GDPR, (if by date of exit the GDPR has not come into effect), or cease to be subject to the GDPR, (if the GDPR has by then already come into effect). This means that data transfers to the UK (from the EEA) will be restricted in the same way as data exports from the EEA to the US, unless the EU Commission decides that the UK provides “adequate” protection for data it imports from the EEA. This is what currently occurs with countries like Canada and New Zealand.
The UK could continue to rely on the Data Protection Act 1998, (if it has not already been replaced by the GDPR by the time we leave the EU).
The UK could pass it’s own new data protection legislation. However, if it did so and this comprised more ‘relaxed’ data protection rules than the GDPR, there would be a risk of not achieving “adequacy” recognition by the EU. If this were to occur it would seriously impact on data flows between the UK and the EU/EEA.
Organisations should continue their GDPR preparation as before. In due course, and subject to the outcome of the UK’s exit negotiations, there will be a need to review and perhaps make adjustments to compliance programs, including relevant data transfer mechanisms, to reflect the fact that the UK will have a separate (albeit perhaps similar) data protection law to the EU.
This article is intended for informational purposes only and should not be relied upon as legal advice.
We believe that data protection is about protecting people and that the four elements of data protection are trust, transparency, privacy and security
If you agree and like this page please feel free to share it on Linked In, Twitter and Facebook
To contact us call 07902 395989 or use our contact form