Now that the UK is leaving mainland Europe behind, what does that mean to the upcoming changes in Data Protection Laws? Can we just ditch it and do what we like with our data? First, let’s have a brief recap.
On 4 May 2016, the EU Parliament approved the new General Data Protection Regulation which updates the Data Protection Act from 1998 for the digital age. Each EU member state has to incorporate the new laws by 6 May 2018, with it coming into force from 25 May 2018. So that gives each EU country just under two years now to update its Data Protection Laws.
Two years. How long does Article 50 give us to leave the EU? Two years. It is therefore very likely that the UK will still be a member state of the EU come 25 May 2018. Does that mean we have to implement this new change, though? Well, this is tricky. Would the EU penalise the UK if it didn’t? Given the EU’s current tough stance, it could happen. Furthermore, although no one knows for certain how Brexit will be implemented at this time, one potential solution is to transcribe all EU laws into UK law first, which would ensure a swift exit. Then once the UK has left the EU, the process can be started within the UK to rewrite the laws.
So from that point of view, it looks like the new General Data Protection Regulation would be adopted in the UK.
Even if we could avoid implementing this Directive for the short time the UK remains in the EU, the ICO points out that in order for the UK to do business with the EU (which the UK is very keen to do), the UK would have to prove “adequacy” with regards to its Data Protection law. As the ICO puts it: “in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
And that last point is, of course, the clincher.
Two last points. Last year, the EU found that the US Safe Harbour agreement was not sufficiently adequate to guarantee that EU data would not be misused. The prime reason for this inadequacy was the fact that there is no guarantee that US surveillance would not intercept the data. This has taken a year to resolve (well, it will be resolved shortly, or so we’re told), so the EU is not afraid to stand by its word.
Secondly, the UK is also keen on data surveillance. While it is a member of the EU, the UK has negotiating power to influence what the revised data protection laws in the UK should look like. It may therefore had got its way to make Data Protection Laws in the UK not as tight as in some other member states, just as it did with the 1998 Data Protection Act. Outside of the EU, it will be a lot harder for the UK to influence this requirement. For the UK to have adequate data protection laws, it will have to adopt the EU regulation.
So, it looks very unlikely that we can ditch the new Data Protection Regulation and we should work on our best practise to implement its requirements as soon as possible.
For further advice or assistance, please do not hesitate to contact Christian Propper.
-Christian Propper, Senior Consultant