On 2nd February the UK Government published it’s white paper setting out the 12 principles which will guide the UK’s exit from the EU (Brexit). The plan includes “providing certainty and clarity” and “taking control of our own laws”.
The principle for taking control of our own laws is an interesting one. It generally refers to a proposed Great Repeal Bill (introduced to Parliament back in October) which will remove the European Communities Act 1972 from UK law and convert all our exiting EU based laws into domestic (UK specific) law.
The main reason the UK government want to do this is to ensure that at the point we officially leave the EU there will be no uncertainty about what laws apply – basically the same laws will apply at the point we Brexit as they did before. At this point presumably nothing will have changed legally and we’ll continue adhering to all the same laws we do today.
On the face of it this all seems sensible, but there’s still uncertainty on the horizon, also thanks to the white paper, which refers to the fact that at the point of post-Brexit the government “will then be able to decide which elements of that law to keep, amend or repeal.” So whilst there’s certainty at the point of Brexit, we’re still no clearer as to what happens post-Brexit, from a legal compliance perspective.
There’s also the issue of Grant Shapps ‘sunset clause’ which is being pushed to be part of the Great Reform Bill and will ensure that if the UK government hasn’t made the EU laws part of post-Brexit UK law then they should just be dropped.
What could this mean for UK data protection law?
Currently the UK has it’s own Data Protection Act. An Act borne out of the EU Data Protection Directive and implemented in 1998 the Data Protection Act delivers 8 principles that control the collection, processing and management of data as well as rights for the subjects of that data.
However in 2016 the EU approved the final draft of the General Data Protection Regulation (GDPR) a European wide regulation that affects all members of the European Union. The Regulation became EU law in 2016, but EU member states have until May 2018 to ensure it is implemented (which is why everyone is talking about the May 2018 deadline for compliance).
As the GDPR comes into force in May 2018 and the UK will still likely be part of the European Union at that point, UK businesses will have no choice but to ensure they’re compliant with the GDPR as well. At the point we leave the EU, there is then the question of how the GDPR will apply.
Post-Brexit data protection
So the clarity the white paper gives us is that at the point the UK leaves Europe the GDPR will still apply, but what’s the future for the GDPR in UK law, post-Brexit? What will UK data protection law look like, post 2019?
The simple answer is we don’t know for sure and at this point the government are unlikely to offer any committed response. The ICO (the UK’s data protection regulator) are unlikely to let data protection law fall by the wayside, but then, given the ICO is a compliance vehicle driven by EU law will there even be an ICO, post-Brexit?
The main driving factor behind what might happen though is straightforward: adequacy. The GDPR is extraterritorial in the sense that anyone wishing to process data held on EU subjects needs to apply the GDPR principles or at least demonstrate adequacy. So leaving Europe could mean that the UK runs the risk of becoming a ‘third country‘, essentially needing to prove to the EU that it’s approach to data protection is adequate. and that could mean a host of red tape to ensure that compliance.
Three possible outcomes
We don’t need to look too far to see models of how EU data laws can apply to countries outside the EU and these could be applied to the UK situation, post-Brexit:
- The European Free Trade Association (EFTA) approach where the UK would remain part of the European Economic Area (EEA), but not a member of Europe and would therefore need to implement EU data protection laws
- The Swiss Model. This approach implemented by Switzerland, which is not part of the EEA but is a member of EFTA, means that Switzerland has adequate data protection because they’ve implemented European data laws into their domestic laws. If the UK went down this route we’d make sure the GDPR was implemented, verbatim, into UK law.
- Go it alone. If we completely did our own thing, then the risk of being a ‘third country’ for the purposes data protection is a real risk and would require us to demonstrate, in the same way the US does currently, that our data protection laws are adequate to meet EU standards. This would result in an agreement which could be tested at any time (indeed as the US Safe Harbour agreement recently was)
It doesn’t make sense for us to aim toward option three given how EU data protection is so entrenched, currently, in UK law, and indeed how much energy the UK government and ICO had put into developing the GDPR into a EU law the UK could support – I’m sure it’s not by luck that if UK businesses are compliant with the Data Protection Act, they’re not going to be too far off compliance with the GDPR.
But it’s not clear whether we’d be allowed to be part of the EEA or be a member of EFTA, post-Brexit, with some speculation that this isn’t an option, which leaves us with the Swiss Model approach (which will still require some aspect of adequacy proof).
The UK government’s white paper on the approach to Brexit claims to offer clarity via the Great Reform Bill, but whilst it clarifies that UK law will still be EU law at the point of Brexit, it offers no certainty what will happen post-Brexit.
What is clear is that we’ll be shooting ourselves in the foot if we don’t have adequate data protection law going forward, which seems to me to suggest that the UK will have the same EU data protection laws it has post-Brexit as we will have pre-Brexit. But, we’re not going to get the answers in the short term or any form of commitment at this point in time.
The GDPR is coming and the UK will need to be compliant now, in 2018 when it becomes law and post-Brexit: failure to be adequate will mean that UK businesses will not be able to process european data lawfully and that can only mean harm to the UK business market.