The EU’s General Data Protection Regulation is due to come into force across the bloc on May 25, 2018. It is the biggest shakeup in data protection law for 20 years. The rights of people to access and protect their data will be strengthened, more rules for business added on how to manage and safeguard data, stricter data protection training requirements and much harsher penalties implemented for getting it wrong.
Brexit has caused a wave of uncertainty about how GDPR might be implemented in the U.K. and what might happen once the U.K. is out of the EU.
What We Know Now
The U.K. government has signalled its intention to trigger Article 50 before the end of March 2017, kicking off the two-year countdown to the official exit from the EU. Barring further changes, the U.K. should have left the EU by April 2019. Assuming that the U.K. remains a full member of the EU until that date, GDPR will automatically apply to the U.K. in 2018.
Both the Information Commissioner’s Office (ICO) and the U.K. government have indicated that GDPR will be implemented regardless of the U.K.’s eventual relationship with the EU.
The U.K. has a strong data protection record itself. Britain’s ICO was the original instigator of GDPR, identifying the need to update data protection law back in 2009. The U.K. is also a world leader in data systems, cybersecurity and privacy law. However, research by KPMG has shown over 60 percent of CEOs are concerned about British privacy regulations becoming out of step with the EU after Brexit and impacting their business.
To maintain full compliance with GDPR, the U.K. must maintain an adequate level of protection for individuals. That means someone in France, Spain or the U.K. must have a very similar level of data protection and expect companies and nations to look after their data in broadly the same way. To maintain full compliance, there cannot be too much change in how a citizen experiences data protection from one country to another.
There are national derogations available under GDPR, but these are limited in scope to issues like national security, judicial independence and religious exemptions. In addition, any restriction must still respect fundamental freedoms and remain necessary and proportionate.
Not all the rules of GDPR have been finalised. A group known as the Article 29 Working Party is currently writing guidelines on everything from who will need a DPO to the right of data portability. After the implementation of GDPR, the Working Party will become the European Data Protection Board, made up of a representative from each EU member state. It will continue to write guidance and coordinate enforcement across the EU and potentially alter the way GDPR should be implemented.
After Brexit, the U.K.’s ICO may no longer have a seat on the Data Protection Board. To remain compliant, the U.K. could end up having to implement decisions of the board without having a say.
The problem is how to incorporate all these individual changes and adaptations without the need for constant legislation. To maintain full compliance, the U.K. may have to devise a system to automatically implement GDPR developments which take place in Europe. However, this leaves the possibility that a post-Brexit EU moves faster and further with data protection, no longer bogged down by British objections. This could force the U.K. to implement GDPR decisions it might not like in order to maintain full compliance. If not, a two-tier, partial compliance system could emerge. On the other hand, full compliance might not be too difficult. The current eight principles of data protection remain the same under GDPR, and the U.K. in general has strict data protection laws.
Partial compliance with GDPR could emerge from a situation where the U.K. keeps the regulation on the statute books after Brexit but doesn’t keep pace with any changes as they develop.
The Prime Minister plans to incorporate the body of European law into U.K. law in a “Great Repeal Bill,” and then decide which laws to keep and which to, well, repeal. With no automatic mechanism to keep up with changes in EU rules, a two-tier system could be the only option. This might mean U.K.-based companies with business in the EU complying with GDPR internally but operating under a different standard for its British operations.
Some of the more stringent GDPR requirements, such as 72-hour breach notification, unrestricted right of access and the right to be forgotten may be without a home in post-Brexit Britain, but remain part of EU rules. Companies will have to prepare for the potential increased workload and confusion that may result in trying to comply with two different systems at the same time.
While some companies and politicians may be keen to drop a number of GDPR requirements as soon as possible, partial compliance creates its own problems. Too much tinkering with the rights of data subjects, or stepping too far away from the protection of fundamental rights that GDPR is based on, could leave the U.K. and EU data protection regimes in a state of divergence.
The U.K.’s divergence from GDPR would mean a significant and material shift away from European standards of data protection. This could happen if the U.K. rejects GDPR wholesale and instead keeps the Data Protection Act instead. Another scenario is that GDPR is implemented, but after Brexit, it’s repealed or amended beyond recognition.
However, a legislative separation might not necessarily mean divergence. U.K. case law has been catching up with European concepts of privacy. In a recent Court of Appeal case, Google vs. Vidal Hall, the U.K. court found a right to claim compensation from a data protection breach without having to prove financial loss. However, this ruling was made by applying EU law, so Brexit may end up narrowing the scope of how British judges interpret data protection.
There is always the possibility that the U.K. may diverge from GDPR but toward even greater protections. The U.K. is already a world leader in data protection and has taken pioneering decisions in other areas of compliance, such as the Modern Slavery Act.
Divergence in this direction matters less than divergence the other way. If the U.K. and EU data protection systems become too different, the U.K. could be in danger of losing its adequacy determination, making data transfers from the EU to the U.K. technically illegal. Even if the U.K. maintains full compliance with GDPR, there is still a possibility that Brexit could threaten the U.K.’s adequacy determination.
Brexit: Deal or No Deal?
Regardless of what the U.K. does with GDPR after Brexit, the biggest threat to data protection is from an exit from the EU without any deal. This is the so-called hard Brexit and fallback to WTO rules until a further agreement is reached, or not. It’s the kind of Brexit Theresa May and many inside the Conservative party and Leave camp have called for. As we have seen, the crucial component for the U.K. after Brexit is to be judged as offering an adequate level of protection by the European Commission.
A hard Brexit with no deal means no assessment of adequacy. Furthermore, the U.K. cannot apply to the European Commission for an assessment of adequacy; that determination can only be given by the Commission itself. If the negotiations turned sour and both parties decided to walk away with no deal, perhaps due to the estimated €60 billion leaving bill, there might not be much goodwill left to speed up a U.K. adequacy determination for GDPR.
Without any sort of bridging deal, transferring data from the EU to the U.K. could be seen in the same way as transferring data to Zimbabwe. Data transfers to the U.K. could be technically illegal. This, of course, would imperil the economies on both sides of the channel, but it’s a serious risk if there is no deal or transitional arrangement in place.
Canada was judged to offer an adequate level of protection following the conclusion of CETA – the EU/Canada free trade deal; and adequacy is offered to a handful of other countries including the Channel Islands, New Zealand, Israel and Argentina.
Data transfers to the U.S. take place through auspices of the EU-US Privacy Shield, which American companies can sign up for to demonstrate they offer an adequate level of protection. This was hastily put together after the previous Safe Harbour scheme was ruled as being inadequate by the European court. It may be that in the event of a no-deal Brexit, the U.K. can join the privacy shield, allowing companies a one-step registration process to essentially continue doing what they will already have been doing right up until the formal exit from the EU.
But the question of whether the Privacy Shield will survive President Trump has become another reason to worry what the next few years will mean for data protection.