Theresa May, the UK’s new Prime Minister, has said it: “Brexit means Brexit.” So does GDPR matter?
The short answer is yes… and you shouldn’t shelve your GDPR plans. Uncertainties abound, but in most scenarios facing the UK, implementation of GDPR or a very similar data protection regime is firmly on the cards.
Post-Brexit comments made by Baroness Neville-Rolfe, minister responsible for data protection, led to headlines that GDPR may no longer apply in the UK. While the specific shape of the post-Brexit privacy regime is unclear, GDPR will play a key role. The Minister spoke of the uncertainty ahead, “we do not know how closely the U.K. will be involved with the EU system in the future … On the one hand, if the U.K. remains within the single market, EU rules on data might continue to apply fully in the U.K. On other scenarios, we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get underway.”
One key factor is GDPR is (or was) due to take effect in the UK by 25th May 2018. The fact remains the UK will be a EU member for at least two years while withdrawal is negotiated, creating a clear overlap to be worked through. In addition, the ‘two year’ withdrawal process won’t formally begin until the UK notifies the EU under Article 50 of the Lisbon Treaty. Philip Hammond, then Foreign Secretary now Chancellor, even posited a four-year Brexit period. It’s now firmly in the hands of the new Prime Minister as to when this trigger is fired.
Baroness Neville-Rolfe stressed “one thing we can say with reasonable confidence is that if any country wishes to share data with EU Member States, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection. This will be a major consideration in the UK’s negotiations going forward….”
Crucially, even outside the EU, GDPR will affect a swathe of UK business. The new regime doesn’t just apply to organisations within the EU but also to organisations established outside the EU which offer goods or services in the EU, or which monitor the behaviour of EU data subjects. Hence the reason global companies, from the Americas to Asia, are sitting up and taking notice.
Christopher Graham, who has just vacated his ICO offices, reacted to Brexit saying “with so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.”
Baroness Neville-Rolfe and the new Information Commissioner Elizabeth Denham will no doubt being getting their heads together over Brexit repercussions.
The Direct Marketing Association has taken a similar stance, CEO Chris Combemale advising “the UK wants to continue trading with the EU, so our data protection law will need to be broadly equivalent to existing legislation and strike the right balance between the right to privacy and economic growth.”
What is this balance going to look like? What are the options post-EU and how might they impact on the current data protection regime?
If the UK negotiates to leave the EU but remains in the European Economic Area (EEA), it will be required to incorporate EU legislation covering the free movement of goods, services, persons and capital. Down this road it’s almost certain GDPR will be fully enshrined in UK law. Likewise, if the UK stays in the Single Market, EU legislation is highly likely to apply.
If the UK leaves the EEA, it could still decide to incorporate GDPR in its entirety within national legislation or adopt a very similar-looking regime. Some argue this would be the most straight-forward approach as it would almost certainly guarantee adequacy, thereby negating the need for cumbersome data transfer solutions between the EU and UK.
The UK may however, be tempted to opt for a more ‘business-friendly’ data protection regime. It has already voiced its reservations over burdensome aspects of GDPR. Is Brexit an opportunity to become a data protection haven, by implementing what’s being dubbed GDPR-lite? Could the UK waive hefty new fines, continue to charge for notifications, ditch DPO requirements and ignore the right to be forgotten?
An attractive proposition perhaps, but not as simple as it sounds. This route would mean the UK would be unlikely to achieve adequacy status, with any deviations from GDPR facing robust EU scrutiny. Let’s not forget the UK has already fought criticism for its flexible approach to current data protection rules, and the European Commission may be keen to lever any deficiencies to their advantage.
If the UK is not deemed to have adequate, equivalent data protection laws, alternative solutions would be required to transfer data from the EU to the UK, with significant impact on business activities. Rather than cutting bureaucracy, Brexit could burden business with onerous Binding Corporate Rules and Model Clauses. Negotiations might also be required for a EU-UK Privacy Shield.
While the future is uncertain, Government, the ICO and many data protection professionals are advising organisations to continue preparing for GDPR, believing the UK’s future data protection rules are likely to feature many material similarities.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.