Brexit – What’s next for UK data protection law?
September 2016 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
The reform of European data protection law was finalised with the publication of the European General Data Protection Regulation (GDPR) on 4 May 2016. Publication in the European Official Journal, started a two year ‘sunrise period’ that would see the provisions of the GDPR take effect across the European Union (EU) from 25 May 2018. However, the UK’s decision to vote ‘leave’ on 23 June 2016 means that the GDPR will no longer automatically apply in the UK, leaving organisations facing an uncertain future and wondering what, among many other things, will be the likely effect of Brexit on UK data protection law. The answer to this question is unclear and it will largely depend on what exit strategy is pursued by the UK government.
The impact of the GDPR
The GDPR will place stricter requirements on organisations that are established in the EU and those that wish to do business in the EU. Due to the stricter requirements, many UK organisations may have been relieved by the leave vote as they considered the GDPR to be largely redundant. However, while it may be tempting to think that the GDPR would no longer apply in the UK, the reality is a little more complex.
There are two key reasons why it is highly likely that the UK will need to adopt the GDPR or equivalent legislation. Firstly, when the UK is no longer a member of the EU, it would be designated a ‘third country’. As a third country, the UK would have to demonstrate that it provides adequate protection for EU citizens’ personal data or transfers from the EU to the UK would be prohibited. It is not a foregone conclusion that the European Commission would make such an adequacy finding and organisations established in EU Member States would potentially have the same difficulties in transferring personal data to the UK as they are now finding with transfers to the US following the invalidation of the US Safe Harbour scheme. Secondly, the GDPR has an extraterritorial reach, meaning it will apply to organisations located outside the EU whose goods and services are aimed at EU citizens. There is no requirement to have a physical presence in the EU, i.e., a branch/office, subsidiary or servers. Accordingly, any UK organisation that wants to sell goods or services to EU citizens will have to observe its provisions or risk penalties of up to 4 percent of worldwide annual turnover or €20m.
The Information Commissioners Office (ICO) has confirmed that if the UK is not part of the EU, then EU reforms to data protection law would not directly apply to the UK. However, the ICO’s viewpoint is consistent with the above points and they have stated that “if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018”.
In light of the above, it seems very likely that the GDPR will be implemented in the UK either in the form of the GDPR or via equivalent legislation. Retaining access to the Single Market will be of key importance to the government during negotiations and if the UK wants to retain access then it will need to adopt adequate measures mirroring those of the GDPR. The ICO will also want to avoid the issues experienced with Safe Harbour that could potentially harm UK businesses and require a lengthy negotiation process to remedy.
The future of UK data protection law post-Brexit will ultimately depend on the deal struck with the EU on the terms of the UK’s exit. It is too early to know what the UK’s future data protection standards will be, as negotiations have not yet started. There is much speculation regarding the UK’s options and, while this is just speculation, there are three more prominent options being suggested, as outlined below.
The UK may exit the EU but become a member of the European Economic Area (EEA) and of the European Free Trade Association (EFTA). This is known as the ‘Norwegian model’ as it was the approach taken by Norway following its referendum vote in 1994, and would allow the UK to retain access to the Single Market. Under the Norwegian model, EU policies not covered by the EEA agreement would not apply to the UK. However, as a member of the EEA, the UK would be required to retain a wide range of EU legislation including those covering the four freedoms. The current non-EU members of the EEA have adopted the Data Protection Directive (and will adopt the GDPR) into local law and the UK would be required to adopt a wide range of EU legislation, including the GDPR. In any event, due to the GDPR’s extraterritorial reach, access to the Single Market will require UK organisations to comply with the GDPR when providing goods or services to EU citizens.
The UK could exit the EU and join EFTA, but not the EEA. This model is known as the ‘Swiss model’ as Switzerland is a member of EFTA and not the EEA. Adopting the Swiss model would see the UK’s relationship with the EU governed by a number of bilateral agreements with some limited access to the Single Market. This scenario would require the UK to demonstrate ‘adequacy’; in other words, the UK would need to show that its data protection laws provided adequate protection when compared to the GDPR. Clearly, the best way (but not the only way) to show uniformity with the EU data protection regime would be for the UK to base any new national data protection legislation on the GDPR.
A total exit from the EU will likely see the UK seek to strike deals with the EU independently or through organisations such as the World Trade Organisation (WTO). Alternatively, the UK may try to join the EU’s Custom Union in the same way as Turkey (known as the ‘Turkish option’). Consequently, the UK would be free to choose whatever data protection laws it wants to. However, as a third country in order to provide services in the EU, UK organisations would need to show that they provide adequate protection. In practice this may be difficult as evidenced by the tumultuous US-EU relationship and the Privacy Shield which has now replaced the Safe Harbour scheme, despite widespread criticism. As such, to allow UK organisations to continue doing business within the EU, the most practical option would be to adopt legislation similar to the GDPR. In any event, the UK’s exit is unlikely to be completed by 25 May 2018 and, as such, the UK will need to adopt the GDPR on 25 May 2018 until such date as it exits the EU.
While specific details of the UK’s post-Brexit data protection laws are currently unknown, the guidance of the ICO is a strong indicator that any legislation will be largely equivalent to the GDPR. As such, organisations should continue working toward the GDPR deadline, ensuring that they are compliant with the Data Protection Act and considering how they will address their new GDPR obligations, such as the right to be forgotten and the appointment of a data protection officer (where required). Irrespective of whether or not we are bound by the GDPR’s provisions, it seems highly likely that we will be bound by its standards. There is the distinct possibility that the UK adopts the GDPR on 25 May 2018 with all other EU Member States and retains it moving forward post Brexit.
Jonathan Wright is a solicitor at Wedlake Bell. He can be contacted on +44 (0)20 7406 1685 or by email: firstname.lastname@example.org.
© Financier Worldwide