The legal consequences (for data protection and otherwise) of the UK’s historic vote in the EU referendum of 23 June 2016 are still unfolding, and it is likely to be some time before the dust settles. Ultimately, much will depend on how the UK and EU choose to maintain their future relationship, and on how and to what extent the UK decides to extricate its legal regime from that of the EU.
There are no easy answers to these questions and at this stage there are many possible outcomes. On the one hand, EU data protection rules could continue to apply in the UK if it remains in the single market. At the other (extreme) end of the spectrum, the UK might leave the single market and choose to replace all EU rules with national ones. As Baroness Neville-Rolfe observed in her recent speech at the Privacy Laws & Business annual conference, it is unlikely we will know the answers to these questions until the withdrawal negotiations get underway.
It is important to note that legally speaking, the referendum result changes nothing in the short to medium term; the laws in force before the referendum are still in force today, and EU laws due to take effect before the UK’s exit, including the General Data Protection Regulation, will still come into force as planned. For the moment, therefore, UK organisations should continue complying with the Data Protection Act, prepare for compliance with the GDPR, and watch closely for the shape of things to come in the longer term.
Stay calm and carry on
The key message at this point is not to panic: data protection law has not changed as a result of the referendum. Although the referendum result is considered by many to be politically binding, it is not in itself legally binding. Before the UK can withdraw from the EU, Article 50 of the Treaty on European Union will need to be invoked. There will then be a two-year withdrawal period during which the arrangements for the UK’s exit will be negotiated with the 27 remaining Member States. This withdrawal period may be extended, provided all the remaining Member States agree.
At the time of writing, Article 50 has not yet been triggered. The suggestion is that this will not happen before the end of 2016. The UK will therefore remain in the EU for at least two more years, possibly longer. As such, for the next two years at least, the UK must remain compliant with EU laws to which it is subject, including the EU Data Protection Directive 95/46 which is implemented into UK law by the DPA. The DPA will therefore continue to apply in the UK until the GDPR becomes directly applicable in EU Member States on 25 May 2018. The GDPR will then apply at least until the UK’s formal departure from the EU, possibly much longer if this is required as part of a future trading arrangement between the UK and EU-27.
Get ready for GDPR
In the longer term, there are two possible scenarios, depending on whether or not the UK remains part of the European Economic Area:
· If the UK does remain part of the EEA, it is likely that the GDPR will continue to applyto the UK in the same way as other non-EU countries within the EEA (ie Norway, Iceland and Liechtenstein).
· Alternatively, if the UK leaves the EEA, it would in theory no longer be bound by the GDPR and would be free to adopt its own national data protection legislation. However, even in this scenario, the UK may still want to adopt data protection legislation equivalent to the GDPR – see below.
In addition, irrespective of the trading model ultimately adopted, the GDPR will continue to impact many UK companies by virtue of its wide territorial scope. Under Article 3(2) of the GDPR, UK businesses will still need to comply with the GDPR if:
· they offer goods or services to data subjects in the EU (regardless of whether any payment is taken from the data subject); or
· they monitor the behaviour of data subjects within the EU.
This applies even to UK businesses not established elsewhere in the EU. In practice, therefore, the extra-territorial reach of the GDPR means it is likely to remain relevant for many UK businesses for years to come. Importantly, this means UK businesses targeting data subjects in the EU could still be subject to fines for non-compliance with the GDPR – up to the maximum of of 4% of annual worldwide turnover or €20 million, whichever is greater.
The bottom line is that the GDPR is still likely to touch UK businesses in one way or another, and it is advisable for organisations to continue planning for compliance with it.
International data transfers: a new challenge for businesses?
A ‘hard Brexit’ involving the UK’s departure from the EEA would present particular issues with regard to international data transfers. Like the DPA, the GDPR (which will be in force by the time a formal Brexit actually occurs) restricts transfers of data to third countries outside the EEA except in certain limited circumstances. Unless an exemption applies, data can be transferred outside the EEA only where:
· the European Commission has issued an adequacy decision for the non-EEA country to which the data is being transferred, confirming that it provides a level of data protection equivalent to that in the EU; or
· the transfer is covered by an appropriate mechanism, such as standard contractual clauses, binding corporate rules, certifications or codes of conduct.
If the UK leaves the EEA, it will become a third country for the purposes of the prohibition on transfers. This means that EEA countries will be able to transfer data to the UK only if one of the conditions above applies. In the long term, if necessary, the UK would likely hope to receive either a Commission adequacy decision (or, failing that, a UK-EU agreement along the lines of the newly approved EU-US Privacy Shield). For this reason, it seems likely that the UK would want to adopt national laws identical or similar to the GDPR, in order to persuade the Commission that the UK provides an adequate level of protection. Nevertheless, a Commission adequacy decision is by no means guaranteed and may take some time to issue if the Commission does decide to grant it.
If the UK leaves the EEA, in the absence of an adequacy decision, multinational organisations looking to transfer data from the EEA to the UK will need to look to alternative transfer mechanisms, such as standard contractual clauses, BCRs, or obtaining the data subject’s explicit consent.
The future of data protection in the UK
The longer-term position is somewhat unclear. It may well be that the UK ultimately remains bound by the GDPR or adopts national data protection legislation identical or very similar to the GDPR. This is likely to be the case if the UK’s future relationship with the EU involves the UK remaining in the single market or retaining a high degree of access to it, for example through a ‘Norway style model’ (involving EEA/EFTA membership) or a ‘Swiss style model’ (which may give the UK certain access to the single market through a series of bilateral trade agreements). In either case, the UK would likely have to comply with many EU standards to gain single market access.
Conversely, if the UK were to move outside the single market (for instance, through a Turkish-style Customs union, a series of free trade agreements, or under World Trade Organisation rules), the UK may in theory have more freedom to move away from EU data protection models and we could begin to see a divergence in EU and UK law in this respect, although much would depend on the trading framework ultimately agreed with the EU-27. UK businesses targeting EU citizens would in any event still need to comply with the GDPR, due to its extra-territorial reach. Additionally, even if the new relationship forged with the EU is a more distant one, there would still be a strong imperative for the UK to adopt national data protection laws essentially equivalent to the GDPR in order to obtain an adequacy finding from the Commission (see above), thereby facilitating data flows between the EU and UK and helping to ensure the UK remains an attractive location for businesses dealing in data.
The Information Commissioner’s Office, at least, seems determined to ensure that the UK remains committed to a high standard of data protection and has highlighted the need to reform UK data protection law to reflect the needs of the digital age. At the ICO’s annual report launch on 28 June 2016, the outgoing Information Commissioner Christopher Graham explained the ICO’s intention to discuss with the UK government the implications of the referendum result and its impact on data protection reform in the UK. The ICO made it clear in this statement that ‘having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary’. It would therefore not be surprising if the UK were to adopt national data protection legislation which includes more robust protections than the DPA and is closely aligned with the GDPR, even if not required to do so as part of a trade deal with the EU.
In short, it is impossible to say what UK data protection law will look like in the long term; there are simply too many unknowns at this point. At this stage, the best organisations can do is to comply with the DPA today, prepare to comply with the GDPR, and wait to see what the future holds.
Dyann Heward-Mills is a Privacy Partner and Joanna De Fonseka is an Associate at Baker & McKenzie LLP, London