What does Brexit mean For EU data protection laws?

Brexit will probably have little effect on the need to comply with the new GDPR. Most firms doing business internationally should already be taking preliminary steps to comply. Even before the results of the referendum were known, the UK’s Information Commissioner’s office issued a statement that “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.”

More recently, the ICO stated: “The Data Protection Act remains the law of the land irrespective of the referendum result.If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the single market on equal terms we would have to prove ‘adequacy’. In other words UK data protection standards would have to be equivalent to the EU’s GDPR framework.”

Much will depend on the negotiations that precede Brexit. But whatever is finally agreed, the fact remains that the UK will still be an EU member in May 2018, when the new regulation comes into effect. So the ICO statement and the likelihood of fines for non-compliance are two good reasons why UK should take the GDPR seriously. But there is more.

As the ICO states, if companies in the UK wish to continue to trade with the EU, they really will have little choice but to comply. What are the benefits and/or alternatives to non-compliance with GDPR?

“DP haven”? – Some have talked about creating a “data protection haven” to attract business to the UK. But it is difficult to see how the UK could get away with implementing privacy laws that are not substantially similar to the GDPR. The EU already has regulations regarding the transfer of data from the EU to other countries, and they are currently engaged in a protracted dispute with the USA over the issue of US data flows. 

“DP Light”? – Others have talked about the UK reviewing all its data laws on data protection and that the UK should move to a much “lighter regime”. We would then need to convince the EU that our new, alternative regulations are acceptable.

But if the UK tried to avoid some of the more onerous provisions of GDPR, the UK could win their agreement. The UK and the Commission have a long history of disagreements concerning the implementation of data protection laws to the standards required by Europe. The recent invalidation of “Safe Harbour” clearly indicates the likely approach of the Commission. If it has to make an assessment of the UK’s post-Brexit new data protection regime, the UK is already pushing at the limits of what is permissible under current EU DP law. It is unlikely to succeed with anything much short of total compliance.

If the UK wants to position itself as a global hub for international business, technology, data, science medical research and so on, it will have to be very circumspect in finding the right balance in their post-Brexit DP legislation. It will have to keep the EU happy, as well as being able to deal on an equal footing with the rest of the world. In view of all this, I reiterate what I stated at the top of this article. Businesses and undertakings in the UK will be well advised to commence initial planning for the introduction of the main provisions of the GDPR, if they have not already, and keep a close watch on events.

David Lello is director of Burning Tree.

It has taken over three years of discussions, across multiple levels, but the principles of the new EU Data Protection Regulations have finally been agreed. The regulations will replace the current EU Data Protection Directive and aim to harmonise the data protection and privacy landscape for all members of the EU.

Share this story

Send this to a friend