Last week’s Brexit vote in the Referendum has created some uncertainty as to whether or not the UK will implement the General Data Protection Regulation (GDPR). The answer to this question is that the UK is very likely to implement the GDPR or something of a very similar standard with few exceptions. This blog explains why this is the case and explores some other options.
When the UK leaves the European Union (EU), it may become a territory outside the European Economic Area (EEA) that has to offer an adequate level of data protection. So if the UK wants to obtain personal data from the EU or offer services that require the processing of personal data about data subjects in the EU, that processing will have to be consistent with the GDPR (see Article 3(2)). Controllers subject to A.3(2) have to adopt the GDPR.
As the UK has already agreed the text of the GDPR as a Member State of the EU, adopting the GDPR should ensure an adequacy decision by the Commission with respect to the UK. This should remove data protection as a negotiation problem concerning Brexit as the UK merely adopts that EU legislation it has agreed. If this happens, all controllers apply the GDPR to the May 2018 deadline.
If the UK joins the single market on something like the EEA/Norwegian-type model, then the UK would have to adopt the GDPR in full (just like Norway). There again, such adoption of the GDPR should not be an issue as the UK has already agreed the text. Implementation to the May 2018 deadline.
In the case of European companies (controllers and processors) offering services into the UK, they are established in the EU and have to satisfy their GDPR requirements for the processing of personal data (including transfer issues by using Binding Corporate Rules or one of the other options; see Articles 44-49). UK based multi-nationals that have a considerable EU base could look at this as an option by shifting centre of gravity of the processing decisions into the EU (see the establishment definition in Article 4(16)). Such a shift would mean GDPR compliance.
Finally, if a new Prime Minister implements the Article 50 withdrawal mechanism in October, then the two year period for UK leaving (October 2018) extends after the GDPR has to be implemented by Member States (May 2018). Any further delay in pressing the A.50 brexit-button beyond October this year merely serves to extends the time in which the UK will be a Member of the EU having to implement its Regulations (including the GDPR by May 2018).
What is certain is that the current UK Data Protection Act cannot offer adequacy as it is based on Directive 95/46/EC which is being repealed. It is clear from the Safe Harbor/Privacy Shield comments by the Article 29 Working Party (the future European Data Protection Board) is that the Board will insist on a high level of data protection when considering countries outside the EEA. The problem is that the UK’s Data Protection regime has always been viewed as offering a lower standard of protection even with respect to Directive 95/46/EC.
This is exacerbated by the Investigatory Powers Bill currently before Parliament. If bulk personal datasets continue to be hovered up without regard to data protection compliance then there is a risk that the EDPB will flex its muscles as it has done with Privacy Shield (i.e. transfers to the UK could well be deemed to be a breach of the GDPR).
However, I can see circumstances where the Data Protection Act could continue for a UK controller outside the EEA (e.g. when a controller is in the UK and where the processing of personal data is all in the UK and is limited to UK citizens; this could allow the UK to assist small businesses) and where the GDPR applies to all other controllers. But this dual Data Protection regime is a very messy solution but could be implemented.
Finally, readers must understand that whatever the agreement the politicians make with respect to Brexit, the assessment of the data protection elements of that agreement will be undertaken by the EDPB and each European Data Protection Authority. They will be able to use their considerable enforcement powers in the GDPR in relation to any transfer of personal data to an UK outside the EEA. This is a consequence of the Schrems Decision. In other words, the more the UK Government strays away from the GDPR, the greater the risk that the UK will be deemed not to offer an adequate level of protection.
The question for those wanting to know what to do about the GDPR (e.g. start compliance work; attend our GDPR workshops) is whether to wait until there is certainty as to what the new data protection arrangements will be in the UK. Hopefully the paragraphs above will help.
I add that such uncertainty has always been the position before the Brexit vote because the all European Governments agreed 50+ Articles where Member States had a “margin of manoeuvre” to implement legislation in accordance with national custom. In other words, if the Referendum vote had been for Remain, we would not know the precise form the GDPR would have taken in Britain.
In other words, uncertainty concerning the implementation of the GDPR in the UK is nothing new. Hence my conclusion that any postponement of activity with respect to the GDPR on the grounds of “let’s see what happens” will just leave less time to do the necessary work.
Our GDPR Regulation Workshops provide a road map for what you can do now to plan for implementation of GDPR (or something similar), actions that need to be taken now are identified in the workshop. Amberhawk is holding all day in London , Leeds, Douglas (Isle of Man) and Edinburgh in the next three months; details on http://www.amberhawk.com/bookevents3.asp
To train your Data Protection Officer, we have a BCS DP Practitioner Qualification (starting in London on July 12). Full details of courses from September (e.g. FOI, CISMP, Foundation DP courses) are on the Amberhawk home page: www.amberhawk.com
50+ Articles of Member State flexibility: http://amberhawk.typepad.com/amberhawk/2016/05/will-the-uks-approach-to-the-gdpr-be-harmonised.html
IP Bill data protection concerns: http://amberhawk.typepad.com/amberhawk/2016/06/message-to-data-subjects-national-security-purpose-is-free-of-constraints-such-as-lawful-or-compatib.html