UK businesses have for some time now been thinking carefully about what they will have to do to comply with the EU’s General Data Protection Regulation (“GDPR”). Brexit has not made their deliberations any easier.
Data protection law in the UK, as with many of our laws, is based on legislation which originates in the EU. The GDPR is a modernisation of the current, slightly rusty, regime, put in place by the Data Protection Act 1998, which itself enacted an EU directive (the snappily named Directive 95/46/EC). It introduces new and stricter obligations and a system of increased fines to go with them and is due to come into force, this time without the need for any enacting UK legislation, on 25 May 2018.
The obvious question facing businesses, following the result of the referendum last month, is whether the GDPR will come into force in this country at all. The most likely answer is that it will. As everyone will by now know, the exit clock formally starts ticking once the UK gives notice of its intention to leave the EU under Article 50 of the Lisbon Treaty. As Article 50 provides a minimum two year period for formal exit negotiations to take place, even if notice had been provided immediately, the GDPR would still come into force.
Whether the GDPR remains in the long term, however, depends on what alternative relationship with the EU is eventually put in place. It is the uncertainty here that makes planning for the future difficult.
Many commentators think that a likely alternative to EU membership is for the UK to join the European Economic Area (the “EEA”). Members of the EEA have to agree to provide freedom of movement of people, money, goods and services. This would include having to sign up to EU data protection laws. If this route was chosen, then the GDPR would remain in place in full.
If the UK chose not to be part of the EEA, then in order for cross border data flows to continue it would, broadly speaking, either have to satisfy the EU that it “ensures an adequate level of protection” in relation to personal data (i.e. its data protection regime is of a similar standard to the EU’s) or put in place a similar arrangement as the proposed EU-US “Privacy Shield”.
It is difficult to predict what obligations either would impose on businesses. A system which provides an adequate level of protection could take a number of forms and it is almost impossible to know which parts of the GDPR might be retained. A UK privacy shield would impose fewer and less strict obligations than those which would otherwise be in place. However, EU-US negotiations have been tortuous and, given that the previous arrangement (the US “Safe Harbor” system) collapsed due to concerns about government access to EU subjects’ data, negotiations with the UK (which also favours easy government access to data) might not result in a relaxed regime.
What does all this mean in practice? Businesses should work on the basis that the GDPR will come into force in May 2018 and that it will stay in force for some time afterwards.