The impact of Brexit on Data Protection
14 July 2016
At the moment, it is impossible to say with any certainty how data protection legislation in the UK will be affected by Brexit. The General Data Protection Regulation (“GDPR”) is due to come into force in May 2018.
At the moment, it is impossible to say with any certainty how data protection legislation in the UK will be affected by Brexit. The General Data Protection Regulation (“GDPR”) is due to come into force in May 2018.
Even if “out truly means out” of the EU, multinationals and UK businesses doing business in the EU will still need to comply with the GDPR when processing the personal data of people located in the EU. Such businesses may also elect to apply many of the standards set out in the GDPR to their handling of personal data in the rest of the world. This is because businesses that trade in the EU and elsewhere in the world will be faced with implementing different data protection rules in different countries and may therefore choose to adopt the highest necessary standard of data protection rules globally: in our experience, such businesses are usually reluctant to segment their databases to comply with different rules worldwide. Rather, the GDPR, as the highest common denominator in data protection law, offers a standard which multinationals could adopt throughout their business.
Another factor the UK government will wish to consider when deciding which data protection legislation to implement is whether the EU will deem the UK’s data protection legislation to afford data subjects an adequate level protection for their privacy. Simply relying on the Data Protection Act 1998 (the current law) will not be enough to obtain an adequacy finding. However, it is unlikely that the UK government will want the UK to be found inadequate from a data protection perspective. In order to obtain a finding of adequacy the UK will either need to adopt the GDPR, or something very similar to it. In the event that the UK’s data protection legislation is found to be inadequate, we will then be left in a similar position to the USA and other countries where personal data can only be transferred from the EU to the UK if the UK adopted a type of Safe Harbour scheme or other data export compliance measures were adopted.
The ICO agree and has said: “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary”.
It is therefore likely that the GDPR is here to stay, regardless of the kind of Brexit deal that is negotiated. With this in mind we would recommend that any data protection audit undertaken looks at GDPR compliance and not just compliance with the Data Protection Act 1998.
EU-US Privacy Shield agreed
On 12 July 2016 the EU Commission formally adopted the EU-US Privacy Shield, the replacement for the Safe Harbour scheme.
Changes that had been made to the Privacy Shield include stronger rules on data retention, onward transfers of data, and safeguards on access to data by public authorities. The position of the US Ombudsman had also been renegotiated so that the body will be fully independent from intelligence agencies.
For the first time, the US also gave the EU written assurances that public authorities’ access to the personal data of EU citizens for law enforcement and national security purposes would be subject to clear limitations, safeguards and oversight mechanisms, and ruled out indiscriminate mass surveillance of European citizens' data. The Privacy Shield also provides for several accessible and affordable redress mechanisms, in case of any complaints by EU data subjects.
Businesses can now start planning to resume transfers of data to US certified companies without having to rely on model clauses, binding corporate rules, or other less simple mechanisms allowing the transfer of data. However, there are still some details of the new scheme to iron out so our advice for the moment is for businesses to continue with their existing alternative arrangements to safe harbour.