How will Brexit impact on data protection, specifically the General Data Protection Regulation (GDPR)?
The details are very unclear and will probably remain so for some months. However there are some things which are fairly clear.
At the moment the Data Protection Act 1998 (DPA) is still in force and will be until 25th May 2018.
The GDPR will be enforced across the EU and beyond from 25th May 2018. At this time the UK will still be part of the EU, so it will be in force here. Something like 50 sections of the GDPR require to be clarified by Member State law: under the circumstances it is hard to imagine the Government being very concerned about this. Presumably the UK will not be enthusiastic about enforcement either, but if UK data subjects complain to the ICO or data subjects from other EU states complain to their own regulator this cannot be ignored.
It is clear that, after Brexit, UK companies will still need to trade with the EU. If personal data of EU citizens is to be processed in the UK there will essentially be two requirements:
- The data controller or processor will need to comply with the GDPR (GDPR Article 3) and
- The European Commission must decide that the UK ensures an adequate level of protection for personal data (GDPR Article 45) – this is not essential, but the alternatives, which are fairly demanding, would need to be implemented by each data controller.
Article 3(2) says:
‘This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union’.
This clearly means that any UK business wishing to sell goods or services in the EU will be required to comply and it is hard to imagine UK authorities refusing to co-operate with any enforcement of this.
If the European Commission is to approve an adequacy decision relating to the UK then there needs to be suitable legislation in place. What exactly is meant by ‘adequate’ is not defined in the GDPR, but legislation will certainly need to be generally similar, and it is very unlikely that the DPA in its current form will be seen to be adequate.
This means new legislation will need to be in place in the UK (so businesses trading with the EU will need to comply with both the new UK legislation and the GDPR!). The simplest way to introduce this would simply be to implement the GDPR, but given the Brexit mantra of creating our own laws it might be too embarrassing to do this. So we will probably have a new Act which will be face-savingly different from the GDPR but, hopefully, similar enough to achieve ‘adequacy’.
An Act which will give adequacy will almost certainly need to build on the Data Protection Act, providing for enhanced data subject rights, stronger requirements for consent, significantly increased penalties, mandatory data breach reporting, obligations on data processors, accountability (demonstration of compliance) and possibly mandatory privacy impact assessments.
For any business which trades or intends to trade with EU countries it certainly makes sense to make preparations for GDPR compliance. If you need any support with this please get in touch.