Following the British vote to leave the EU, few things remain certain: the fast-paced growth of digital developments will continue; the need to protect individuals’ interests will remain a priority; and the UK has not escaped the European data protection regime. With the UK’s exit from the EU unlikely to occur before mid-2019 and the General Data Protection Regulation (“GDPR”) taking direct effect from 25 May 2018, this article explores the various directions that the UK may take as part of Brexit and GDPR implementation.
As the future of most industries become increasingly dependent on the rapid accumulation, storage, and analysis of mass data, British businesses are concerned. Julian David, chief executive of technology industry lobby group, techUK, said that work should start now on securing international data flows and data protection. Bearing in mind that any decision on the future of data protection law in the UK will be influenced by the agreements that the UK reaches with the EU once it leaves, the possible options for the UK are set out below.
Joining the EFTA
The UK could remain in the European Economic Area (“EEA”) by joining the European Free Trade Association (“EFTA”), whose current members are Norway, Iceland, and Lichtenstein. Doing so would secure all EU-UK personal data flows. However, the UK would still need to comply with the GDPR and effectively re-implement it with effect from the end of the Article 50 process. The European Commission (“EC”) would, of course, have no room for objecting to a UK bid to take this route as GDPR implementation will be deemed to provide an adequate level of protection for personal data. The UK would also benefit from protections offered by the EU-US Privacy Shield regarding personal data transfers to the US.
Securing an adequacy decision
If the UK implements a regime aligned with the GDPR principles despite Brexit, the EC would likely find the protection it affords to personal data to be adequate. The UK would then join countries including Canada, Israel, and Switzerland as the EC adds it to its “white list”.
Should the UK decide to retain the Data Protection Act 1998 (“DPA”), it may not secure an adequacy decision as the protection requirements of the GDPR is considerably more robust than the DPA and the EU Directive it implements.
Move away from EU data protection models
Following an exit from the EU, the UK could move away from the EU data protection models and establish its own regime through a series of free trade agreements, under World Trade Organisation rules, or a Turkey-style Customs union. It is likely that this move would result in a regime more robust than the DPA and still end up being closely aligned with the GDPR to ensure that the UK remains an attractive location for businesses.
Impact of non-alignment with the GDPR on businesses
UK-based businesses may find themselves isolated and burdened with increased costs and inconvenience should the UK not align its data protection regime with the GDPR post-Brexit. Data sharing will become more challenging as businesses are deprived of the advantages of harmonised EU data protection laws. To illustrate, should the UK exit the EU without an adequacy decision from the EC, any UK business looking to transfer data from the EEA to the UK will need to resort to alternative transfer mechanisms such as binding corporate rules, standard contractual clauses, or – in some circumstances – obtaining the explicit consent of data subjects.
Regardless of the trading model that the UK ultimately adopts, businesses will still need to comply with the GDPR if they offer goods or services to, or monitor the behaviour of, EU consumers. Accordingly, UK businesses will remain subject to fines for non-compliance with the GDPR for up to a maximum of 4% of their annual worldwide turnover or €20 million, whichever is greater. Additionally, most UK businesses will be obliged to appoint an EU representative to deal with relevant EU data protection compliance matters.
Ultimately, although there are strong imperatives for the UK to adopt a regime that is essentially equivalent to the GDPR, clarity in this area remains eagerly awaited and, in our view, the smart course of action is to continue complying with the DPA today and keep up compliance preparations for the GDPR.