With all the furore that has surrounded the result of the recent referendum, it’s easy to overlook the implications that are likely to follow. In this article we’ll look at the, now confirmed, impact of BREXIT on data protection laws in the UK.
The current state of play
The Data Protection Act (DPA) has been the primary source of regulation in this area since it’s introduction in the mid 1990s. Whilst the DPA has provided a sufficient regulatory framework, there is no doubt that it is somewhat dated and long overdue a refresh; with 608,100 new startups incorporated in the UK in 2015 and over $2bn raised in venture capital by British technology firms, it’s easy to see how quickly the environment it governs is changing.
The refresh has already been penned by the European Commission and is due to come into effect in early 2018 under the ‘General Data Protection Regulation (GDPR).’ The GDPR is aimed at unifying individual protection across the EU, as well as, the movement of personal data outside of the EU.
With a concerted effort being made to tighten up data security, the recent ‘Safe Harbour’ ruling was evidence enough of this (where it was decided by the European Court of Justice, that the US does not give adequate protection to personal data), there are a number of cyber security directives on the horizon that the UK could well be committed to implementing soon too.
How might Brexit impact the UK?
For the time being, the DPA remains the ‘law of the land.’ With no European legislation yet in place to provide further guidance, the DPA is still the governing point of law. However, BREXIT throws a fairly hefty splash of uncertainty into the mix when it comes to the GDPR: will it even apply, If it does apply, how long will it be for, and, what impact would a UK-EU trade agreement have on the GDPR’s enforceability?
To answer the first question, the GDPR will apply, even if only for a short while. Unless specific action is taken by the UK before the GDPR comes into force, to either complete our exit from the EU or through the creation of a new act to repeal the DPA; although both of these seem unlikely.
With uncertainty as to when the exit procedure, triggered by article 50 of the Lisbon Treaty, will commence it feels more likely that we will still be negotiating our EU withdrawal when the GDPR comes into force. As a nation we will be clearer at this point, or so we hope, what our ongoing relationship with the EU will look like and what onus there will be on us to adopt new regulations and directives.
So, what impact does Brexit really have on this?
The reality is that until a clearer picture of what post-BREXIT Britain looks like it’s hard to say for certain; there are however, a number of eventualities that are worth considering.
Throughout the entirety of the BREXIT debate, both sides have referenced the relationship countries like Norway have with the EU despite not being a fully fledged member. If the UK was to remain part of the European Economic Area (EEA), like Norway, then by virtue of the requirements for this membership ( e.g. the free movement of goods, services, persons and capital) the GDPR would almost certainly be imposed on the UK; with no representatives in the European Commission once we leave the EU, we would also be unable to shape future legislation in this area.
Striking an agreement that doesn’t see us as part of the EEA would put the UK in a better position to devise our own data protection laws and depart from prescribed European standards; this would also mean the GDPR would not come into effect long term, although there may be a short period of crossover whilst the negotiation period is concluded.
Even if an agreement of this sort is reached, as the Information Commissioner’s Office has stated (the office responsible for enforcement of the DPA), data protection standards ‘will still have to be stringent after BREXIT.’ In order for UK based firms to gain access to a similar level of freedom to that of which we experience currently, the UK would need to be designated a ‘safe third country.’ This would enable us to avoid the far harsher requirements imposed on countries like the USA, but would necessitate us demonstrating protection to a level comparable to that of the GDPR.
The concept of ‘mutual recognition’ between the UK and the EU is a theme that will become more salient as negotiations in all trade areas are entered. Recognition of adequacy from one institution of another, and vice versa, isn’t an uncommon occurrence and could be a very successful means by which we are able construct our own data protections laws, yet retain access to the single market. (Civil aviation is a great example of where multiple bodies, across the world, recognise the proficiency of each other’s regulatory capability when it comes to airworthiness.)
Adapting to changes in legislation, factoring for the uncertainty of BREXIT and growing your business can seem like a never ending to-do-list but Hybrid can be there to guide you every step of the way. Unlike a traditional law firm, we don’t charge by the hour and we won’t charge for each phone call or email. Instead,all of our fees are fixed and agreed with you upfront. Why not contact us today to book your free consultation to discuss your legal requirements in further detail, we’ll be delighted to talk to you!