The UK has voted to leave the EU, but despite the political drama life isn’t going to change any time soon. Under Article 50 of the 2007 Lisbon Treaty, the UK is required to serve notice. British negotiators will want to use every minute of the two-year notice period they have, to cook up an exit strategy with the EU. In his resignation speech the Prime Minister has said he will leave it up to a new leader (expected to be in post by October this year), to serve notice.
This is crucial point when it comes to the General Data Protection Regulation, which is due to be implemented in less than two years on 25th May 2018. Will organisations need to be compliant with GDPR even if just for a few months?
The future is undoubtedly uncertain. How will the UK Parliament react to the Brexit vote over the next weeks and months? How will negotiations for Brexit be handled? In reality, a phased withdrawal and even temporary adoption of the ‘Norwegian model’ is possible.
What is certain is that countries globally are preparing now for GDPR. It applies not just to organisations established within the EU but to any organisation which processes the data of EU citizens (i.e. offers goods and services to EU members, monitors online behaviour etc). So even standing outside the EU, the long-arm of GDPR will reach any UK organisation handling the data of EU data subjects.
Furthermore, if the UK chooses not to implement a law similar to GDPR, it’s very unlikely our current data protection laws will be deemed to have adequacy. The UK has already faced criticised for its ‘flexible’ approach to data protection rules and concerns have been raised about the UK security services’ data monitoring, in light of the revelations made by Edward Snowden. We’d be facing Safe Harbor round two, with the UK in the European Court of Justice’s spotlight rather than the US. Will the UK Government really want to be in the potential position of forcing businesses to adopt the EC’s standard contractual clauses every time they receive data from the EU? I think not.
For a productive future outside the EU, the UK needs to work to ensure data privacy doesn’t present an obstacle to trade and commerce, especially with so many international businesses based here. Any move by the UK to take a lighter privacy touch will face fierce criticism; whatever happens adequacy status is a minimum requirement.
Reacting to the Brexit vote, the UK Information Commissioner’s Office (ICO) has made it clear the UK’s data protection standards will need to be equivalent to GDPR – ICO’s reaction to Referendum result
The Brexit vote is dramatic, but in the world of data protection it may prove business as usual, with a law that ‘looks like’ GDPR being implemented by 25th May 2018.
24 June 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.