Much of the UK’s data protection law comes from the European Union, so what effect might a Brexit have on the regulation of data protection in the UK?
Current position and data protection reform
Data protection is regulated in the EU primarily by the Data Protection Directive 95/46/EC (Directive), which is implemented by member states through national legislation. In the UK, that legislation is the Data Protection Act 1998 (DPA) and it regulates the processing of personal data by data controllers established in the UK, or established outside the European Economic Area (EEA) but using equipment based in the UK.
The Directive is set to be replaced on 25 May 2018 by the General Data Protection Regulation (GDPR), which is intended (amongst other things) to modernise the existing data protection standards and strengthen the rights of data subjects. As the GDPR is a regulation with direct effect, it will apply to member states directly without the need for member states to pass further national implementing legislation. This will eliminate some of the differences we currently see between member states’ national legislation and will have the effect of harmonising data protection standards across the EU.
Had the UK voted to remain in the EU (rather than to leave it), the GDPR would have applied directly in the UK from 25 May 2018 in the ordinary course and replaced the existing framework under the DPA.
How could a Brexit change this?
If the UK leaves the EU then, in simple terms, the GDPR will not apply to it. However, there are a number of reasons why the GDPR is likely to be relevant to UK businesses in one form or another irrespective of a Brexit.
The timing of the Brexit is important
It is not clear exactly when the UK will leave the EU. The Article 50 withdrawal procedure in the Treaty on the European Union is triggered by giving notice and sets a deadline of two years for withdrawal (longer if agreed). The UK has not yet taken the steps to commence this process and current predictions are that it may not actually leave the EU until 2020. The GDPR, on the other hand, will start to apply in just under two years. Therefore, there is a possibility that the UK will still be a member of the EU and subject to the GDPR when it is implemented.
If the UK joins the EEA
The UK is likely to consider a number of alternatives to EU membership – one of which is to join the EEA as a non-EU member, in the same way as Iceland, Liechtenstein and Norway. As EEA states have access to the EU’s internal market, they are required to comply with much of EU law, including the existing Directive. The GDPR is a “text with EEA relevance”, which indicates that it would need to be adopted by the UK if the UK joined the EEA.
If the UK adopts another model
Even if the UK opts to contract with the EU on terms other than by joining the EEA, the GDPR could still apply to UK businesses anyway because of its extraterritorial scope. The GPPR will apply to data controllers and data processors that are established outside of the EU, if their processing activities are related to (i) offering goods or services to data subjects in the EU or (ii) monitoring their behaviour within the EU. The first limb would capture UK-based online traders and app providers that collect and store the personal data of European customers. Given the focus of the GDPR seemingly on ‘B2C’ interactions, however, it is possible the GDPR would have less relevance for UK-based providers of ‘B2B’ goods and services. The second limb might extend to businesses that use website cookies to monitor and profile European customers. It could therefore apply to a range of UK businesses.
The UK could adopt similar laws
Whilst withdrawing from the EU and the EEA (in theory) leaves the UK free to cut loose from the EU framework and determine its own data protection laws or retain the DPA, in practice, the UK may have little option but to adopt standards similar to those in the GDPR. The current regime under the Directive broadly restricts transfers of personal data outside the EEA, except to countries that provide an “adequate” level of protection for personal data. The GDPR also contains similar restrictions. Businesses will no doubt be aware of the complications of these rules for transferring data to the US (which has been found by the European Commission not to be adequate). If the UK is not a member of the EEA then, unless it is found to be adequate, transfers of personal data into the UK will be restricted and could become more difficult. It is likely the need to prove adequacy in such a case would prompt a reform of UK data protection law and the ICO, which has been vocal about the need for reform, has stated that UK data protection standards would need to be “equivalent” to those in the GDPR.
What about other data protection laws?
It will depend ultimately on the outcome of the negotiations as to how and to what extent other EU-related data protection laws, such as the Privacy and Electronic Communications Regulations 2003 on electronic marketing and the use of cookies, will apply following a Brexit. For example, if the UK joins the EEA, the EU Privacy and Electronic Communications Directive 2002/58/EC, and potentially any successor legislation, would need to be adopted by the UK. However, if not, it is possible such laws could be reviewed and reformed in the medium to long-term.
What does this mean for UK businesses?
For now, the existing data protection framework and the DPA continue to apply as normal and there will be no change for UK businesses. However, it appears the GDPR will have a practical impact on UK businesses in one form or another when it applies from 25 May 2018. Until the position becomes clearer, it would therefore be prudent for UK businesses to take steps to ensure they can comply with it.
For further information, please contact Beverley Flynn on +44 (0) 1483 734264, Gustaf Duhs on +44 (0) 1483734217 or your usual contact at Stevens & Bolton.
Gustaf Duhs
Beverley Flynn