Brexit and the Future of UK Data Privacy Laws
In the debate leading up to the UK referendum on membership of the EU, one of the ‘Leave’ campaign’s arguments was that the UK would set itself free from the allegedly crushing burden of EU regulations. Time will tell whether or not, and to what extent, such claims are proven accurate, but it is almost certain that in many areas, UK businesses will continue to have an obligation to comply with EU regulations in order to do business across borders. A case in point is the regulation of data privacy.
The current UK legislation on data privacy is primarily embodied in the 1998 Data Protection Act, which implemented a 1995 EU Directive on data privacy (Directive 95/46/EC). The EU passed legislation earlier this year approving a significant overhaul of existing EU data protection rules. This General Data Protection Regulation (Regulation EU 2016/679), the “GDPR”) will apply automatically to all member states from 25 May 2018. Given the constitutional processes required and the UK government’s procrastination over triggering Article 50, the chances of the UK formally leaving the EU before that date are extremely low and the GDPR would therefore become part of UK law prior to Brexit. While the UK could repeal or significantly reduce the obligations on businesses handling personal data under the GDPR after its departure from the EU, it is unlikely to do so for several reasons:
- The UK Information Commissioner’s Office (“ICO”) has indicated that it remains committed to a robust protection of individuals’ personal data, notwithstanding Brexit. In a statement issued prior to the referendum, the ICO’s position was that the UK will continue to apply “clear and effective data protection laws, whether or not the country remains part of the EU”. In the aftermath of the referendum, the ICO stated that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens […]. Having clear laws with safeguards in place is more important than ever”.
- Even if the UK were to radically dilute the data protection obligations under its domestic law, many UK companies that offer their goods or services to consumers in the EU, or which track or monitor these consumers through technology means, will have to continue to comply with EU law (in the form of the GDPR) after Brexit. One of the significant features of the GDPR is the expansion of the jurisdictional scope of EU data protection rules to any business within or outside the EU collecting personal data from customers in any EU country. Thus, the obligations imposed on EU companies, such as providing a more robust privacy statement to its customers, obtaining more explicit consent to the processing of their personal data, and being liable for the security of such personal data, will apply to many UK companies doing business in the EU to the same extent after Brexit as they apply to any company within the EU.
- Once the UK leaves the EU, UK companies will no longer automatically benefit from the right to transfer personal data of EU residents to other EU countries afforded by EU law. Under existing EU laws as well as the GDPR, transfers of EU-originated personal data to a country outside the EU that does not provide a level of protection that the EU deems adequate are prohibited unless the data subject has consented to the transfer or the transfer is effected by other legal means such as pursuant to EU-authorised bilateral transfer agreements or (in the case of transfers to the US) the new ‘Privacy Shield’ which replaces the ‘Safe Harbour’ regime which has been invalidated by the Court of Justice of the EU. It is in the interests of the UK to ensure that the EU will continue to allow the flow of personal data between companies operating in the UK and the EU post-Brexit, including multinational companies located within the UK. Leaving the GDPR wholly or substantially in place could provide a relatively easy path to the obtaining necessary EU certification of the adequacy of the UK’s data protection laws to allow the continuation of personal data flows from the EU and the UK.
The overall impact of Brexit on the regulation of business operations in the UK will not be known for some time, but insofar as data privacy and data protection are concerned, the French expression “plus ça change, plus c’est la même chose” (the more things change, the more things remain the same) might apply.
Please contact a member of the Dorsey team should you have any questions on data privacy or data transfer issues that affect your business. For more on the GDPR please see here.