Brexit: The implications for data protectionPrint publication
Transfers of data outside the EEA
The starting point when considering the implications for data protection of the UK decision to vote to leave the EU is whether or not the UK will be a member of the European Economic Area (EEA). This may not become apparent for some time and – for the moment – the advice cannot be anything other than to “wait and see”.
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, implemented in the UK by the Data Protection Act 1998, prohibits transfers of personal data to countries outside the EEA unless they ensure an “adequate level of protection” to personal data. If the UK failed to meet this “adequate protection” threshold, alternative arrangements, none of which are straightforward and which are considered below, would need to be implemented before businesses based in the remaining 27 EU Member States could transfer personal data to their UK counterparts. One would expect the UK to meet the threshold but there is no guarantee that it would do so – the Commission has criticised the UK Government in the past for failure to implement the Directive in full.
Additionally, and critically, the EU General Data Protection Regulation will come into force in the EU on 25 May 2018. The Regulation substantially builds on the Directive and if the UK chooses not to adopt the Regulation in its own laws but to continue with the existing regime under the Data Protection Act 1998, it will increase the possibility that the UK will, from the European perspective, no longer be a “safe third country” in terms of the transmission of personal data. Indeed the possibility becomes more of a probability.
There are ways around the problem if the UK is considered not to be “safe”:
- the adoption of binding corporate rules. These allow multinationals and other international organisations and groups to transfer personal data across borders in compliance with EU data protection law. To date, however, take-up has been very modest largely because they are cumbersome and time-consuming to implement
- the use of “model contracts”. These too have not been popular, as they add an additional administrative burden to data transfers and cannot be negotiated
- a EU-UK privacy shield, akin to the EU-US privacy shield (the proposed replacement for the Safe Harbor which was declared invalid by the Court of Justice of the European Union last year). However, as is clear from our recent article on the subject, establishing a privacy shield is also a difficult task and the EU-US privacy shield has yet to be finalised.
In time, in the light of a decision not to remain in the EU, UK businesses operating in the EU will need to review internal data transfers, online operations and other activities that are impacted by privacy laws. Conversely, businesses involved in data transfers to and from non-EU jurisdictions only, notably the US, may welcome a more relaxed regime.
A lighter touch regime?
Outside the EU, the UK will have the option of adopting a lighter touch data protection regime than the existing one, a move that many businesses would watch with interest, as the data protection burden can be a trying one. The decision not to adopt the General Data Protection Regulation (or parts of it) could be a part of this.
There are three major caveats to this, however. First, UK businesses trading in the EU will in any event be subject to the Regulation, where they offer goods or services to EU citizens or monitor their behaviour (e.g. for online marketing). Secondly, notwithstanding Brexit, the Regulation will come into effect before the UK is able to leave the EU (as noted in our introductory article, this is likely to take two years) and reverting back to a different regime may prove extremely confusing for businesses, which have only just got to grips with their compliance obligations under the Regulation. Thirdly, the point, already mentioned, that the approach taken by the Government to the Regulation is inextricably linked to the issues identified above regarding cross-border data transfers and, if consideration is given to the huge volumes of daily data flows between London and other European financial centres for example, the odds would be on a data protection regime that is close to that of other EU Member States. Having said that, the odds were on a Remain victory!
On 19 April 2016, the ICO issued a statement on the implications of Brexit, stating that:
“The UK will continue to need clear and effective data protection law, whether or not the country remains part of the EU.
The UK has a history of providing legal protection to consumers around their personal data. Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on.”
This is a clear indication that the data protection laws are unlikely to be relaxed.