The EU’s new General Data Protection Regulation (GDPR ) was formally adopted on 4 May 2016 and will come into effect across the EEA on 25 May 2018. The GDPR is designed to strengthen and harmonise data protection within the EU and – crucially – is a directly enforceable regulation rather than a directive (which, in theory, would require domestic implementation by each member state). Since the UK remains a member state until the Article 50 process for leaving is formally concluded, it is likely to be subject to the GDPR, if only temporarily.
Although it looks unlikely that the UK will manage to leave the EU before May 2018, if it does, the current Data Protection Act 1998 (DPA) will remain in force. However, post-Brexit, the UK will need to be able to demonstrate continuing “adequate” data protection provisions in order to retain current commercial arrangements with the EU. The GDPR is obviously the best indication of what will be considered “adequate” and the UK Information Commissioner’s Office may therefore take increasing notice of the GDPR when interpreting and enforcing the DPA. In time, the UK may also choose to amend or replace the DPA to keep more closely in line with the GDPR, especially if the UK’s eventual path lies with membership of the EEA (the “Norwegian” model) or EFTA (the “Swiss” option).
If the UK chooses to truly go it alone and forge bespoke trade deals with select partners (the “Canadian” option), then it will (in principle) have the freedom to revise its data protection laws as it sees fit. However, commercial and international pressure will nudge it in the direction of the GDPR and recent experience of the US Safe Harbor provisions does not bode well for countries who wish to trade with the EU but whose data protection does not meet EU standards.
Safe Harbor was a scheme which allowed compliant US companies to self-certify as offering adequate levels of data protection. It was, however, struck down in 2015 because of concerns surrounding US Government access to personal data. A putative replacement, “Privacy Shield”, has been mooted but not yet universally accepted. Instead, many businesses have chosen to take the alternative safe route of the European Commission’s Standard Clauses (which are accepted to be adequate) or make their own adequacy determination for transferring data outside the EEA (a riskier option). In due course, Privacy Shield - or an improved version of it - may come to be accepted by EU national data protection authorities and the UK might then be able to adopt something similar.
Regardless of the eventual situation, the UK will remain a member of the Council of Europe (not an EU body) and will retain its obligations under Convention 108 which concerns automatic processing of personal data.
For now, the best advice is to continue to comply with the DPA and to prepare for compliance with the GDPR, which is likely to be relevant regardless of the UK’s eventual status. No Brexit-induced changes will occur without clear warning but your Brexit action group should monitor developments as they arise.
If you would like to discuss any aspect of this article, please get in touch with Graeme Fearon or your usual Thrings contact.