Brexit - the potential impact on data protection legislation
07 March 2016
We are at an interesting time for data protection legislation in the UK. The existing EU Data Protection Directive, implemented in national law by each Member State, will almost certainly be replaced in 2018 by a new, recently agreed General Data Protection Regulation (the GDPR), which will be directly applicable. This contains some fairly onerous new obligations on those who process personal data, and potentially huge fines for failure to get it right. Data protection has, as a result, been catapulted into the board room and companies are already planning for compliance with the requirements.
At the same time, the current mechanisms for transferring data outside the EU (which are based on a similar toolkit under the GDPR) are under scrutiny. The Safe Harbor regime, which permitted certain transfers to the U.S., was recently declared invalid and national regulators are examining its proposed replacement, the “Privacy Shield”. They are also re-considering whether other compliance actions are subject to the same flaws as Safe Harbor.
We have written a specialist paper which contains our thoughts on the impact a Brexit might have on data protection in the UK. We conclude that, although data protection is cited at times as an example of “red tape”, we do not think that a Brexit would necessarily change the level of data protection expected of companies processing data in the UK to any significant degree. As a matter of policy, UK law would be likely to impose a broadly equivalent level of data protection to that agreed in the GDPR, at least for personal data transferred to or from the EU, if only to avoid (in the long term) the UK putting in place a similar mechanism to the Privacy Shield, or the need for UK companies to adopt other compliance actions, to enable data to be transferred to them.
From a practical point of view, many multinational companies also find it more convenient to put in place policies and procedures that are consistent across the countries in which they operate. If the UK were to adopt looser standards, this would be unlikely to affect their approach to compliance in the UK. Brexit would, however, result in UK companies that operate in Europe no longer being able to have the UK data protection regulator (the ICO) as its lead supervisory authority in the EU.
If you are interested in our specialist papers on other topics please visit our Brexit website here.