Date:

Brexit and the GDPR: full steam ahead for implementation?

Now the dust is starting to settle following the UK's decision to leave the European Union ("EU") we consider whether the future of data protection law in the UK has become any clearer.

What is the current position regarding UK data protection laws?
The Data Protection Act 1998 ("DPA") and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") currently remain unaffected even though they are based on EU directives. We look at the position of the DPA and GDPR below. An EU review of PECR is ongoing and the European Commission recently indicated that its aim was to align any reforms to PECR with the date of coming into force of GDPR - this target is considered by some commentators to be ambitious.

Will GDPR still come into force in the UK in May 2018?
Our article, EU Referendum Results – the vote is to leave, so what happens now? explains that following service of an Article 50 notice to leave the EU, the UK will formally remain a member of the EU until at least June 2018, and probably for some time beyond. EU Regulations such as GDPR are directly applicable to all Member States. In any event GDPR enters into force on 25 May 2018, ie before the UK's expected formal withdrawal from the EU. As such it seems likely that there will be a period where GDPR will be applicable in the UK, but for how long is unclear.

Will the UK still have data protection laws once it has left the EU?
Yes, although no formal Government announcement has been made on data protection specifically, it is considered certain that there will continue to be data protection laws which are at least equivalent to and in all likelihood, strengthened from current DPA standards.

Can UK businesses just forget about GDPR post Brexit?
Not necessarily – UK businesses who operate cross border will still need to consider GDPR irrespective of the domestic post Brexit data protection law position. UK businesses will for example, be caught by GDPR in each EU Member State in which it has an 'establishment' involving personal data processing. Following a series of recent European cases, the threshold for whether a company is 'established' in the EU for these purposes is considered to be lower than previously thought. Even if a UK organisation has no formal branch office set up in the EU, any regular activities or operations in the EU involving personal data processing can be enough to attract EU data protection laws.

It is widely expected that the EU would impose comparable GDPR standards on the UK should it enter a Single Market arrangement following Brexit. Aside from this, a well-established principle of EU data protection law is that EU Member States must ensure that personal data they transfer outside the European Union is afforded adequate protection by the organisation handing it in the non-EU country. This position will remain under GDPR. Therefore those UK businesses whose dealings or trade with EU organisations involve them receiving personal data from such organisations, should expect to be subject to an obligation to comply with comparable EU standards in relation to the UK data processing activities.

Furthermore, it is possible that post Brexit, UK businesses who operate across borders will be caught by the expanded territorial reach of GDPR in any event. Even if a UK business is not established in the EU, any processing of personal data that it carries out relating to, for example, the offering of goods and services to individuals in the EU, will be caught by GDPR. Businesses who have entirely UK based e-commerce websites will need to consider the implications if they are EU consumer facing.

Should businesses still carry on with its GDPR implementation plans?
In view of the above situation, it may make sense for UK businesses who operate in the EU, target their business towards individuals in the EU, or who trade or deal with EU organisations, to continue with its GDPR implementation plans notwithstanding Brexit, or at least to undertake a detailed assessment of the extent to which GDPR will continue to affect their activities post Brexit.

Conclusion
What seems certain is that the UK will continue to have data protection laws, rather it is a case of how much like GDPR might these laws look post Brexit. In his last annual report to parliament as Information Commissioner before handing over to Elizabeth Denham, Christopher Graham stressed that the office would continue to impress on Government its view that UK data protection reform remains necessary and would continue to work closely with regulators in other countries. Businesses should therefore continue to closely track for guidance and policy development on UK data protection reform as well as considering their position in relation to any cross border activities.

The Department of Culture, Media and Sport are reportedly keen to hear from stakeholders over the next few months on their views about how data protection laws should evolve.

As highlighted in guidance from the Information Commissioner's Office, many of the concepts and principles of GDPR are much the same as those in the DPA, and are likely to remain in domestic data protection law going forward. Until there is more certainty about precisely what UK data protection law will look like post Brexit, organisations should as a minimum be able to demonstrate full compliance with the DPA.

 

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.

Elaine Fletcher

Director

I specialise in data protection and freedom of information law. I believe that compliance done well is a business facilitator not a blocker, and that privacy by design brings commercial benefits.