Upon Brexit, in relation to other EU countries (and EEA countries) that are governed by the DPD, the UK will immediately become a “third country” (a country outside the EU for data transfer purposes). The position is complicated by the fact that the EU requirements are themselves changing due to the implementation of the new EU General Data Protection Regulation (the GDPR).
The GDPR
The GDPR will apply in all EU member states from 25 May 2018 without any need for domestic implementing legislation. Brexit is most likely to occur around March/April 2019. So, UK businesses will have to go:
- from operating under the DPA
- to operating under the GDPR
- to operating under whatever regime is introduced post-Brexit.
Data protection options post-Brexit
On 2 October 2016, Theresa May confirmed that all existing EU legislation (including the GDPR) would be transposed directly into UK law on Brexit. However, post-Brexit, it is expected that each piece of legislation will be evaluated and a decision will be taken on whether it should be kept, amended or repealed. When the GDPR falls to be considered, there are a number of options, which will be heavily influenced by the model of relationship that is negotiated with the EU post-Brexit.
Retain the GDPR: The UK could seek an adequacy decision, under which the European Commission would formally recognise the UK’s post-Brexit data protection laws as adequate (“on the White List”). Personal data can be transferred to or from a “White List” country on the same terms as transfers between EU Member States.
As the GDPR will already be in place at the time of Brexit and will have been transposed directly into UK law, obtaining an adequacy decision from the European Commission should be straightforward as the UK’s law would mirror the EU requirements.
EFTA Membership: If the UK joins the European Economic Area as an EFTA state, it will be able to transfer personal data to and from EU member states, but again this would involve retaining the GDPR in full.
Bilateral Data Pact: Another possibility would be to negotiate a bilateral data protection agreement (either stand alone or within a wider trade agreement) with the EU under which UK companies would agree to voluntarily adhere to enhanced protections in order for them to be able to transfer personal data to and from the EU freely. This would be a long process, similar to the one the USA has just gone through to obtain the Privacy Shield, but would enable the UK to repeal the GDPR.
Liberalisation: Another option could be for the UK to transpose the GDPR into domestic law and then amend/repeal aspects of it to reduce restrictions on personal data export. Although liberalisation could be helpful in some areas of business, it would be more difficult for UK businesses to trade with the EU and a number of other countries that impose restrictions on exports to “inadequate” countries (such as Australia).
Alternatively, the extent of the liberalisation could be more limited, but still achieve the required regulatory equivalence. This would be very difficult to achieve as it depends on the European Commission being prepared to accept a model with fewer protections than the GDPR as offering “equivalent” protection.
The likely outcome
It is probable that other issues will be a priority in Brexit negotiations (e.g. financial services passporting and immigration) when reviewing the EU legislation that has been transposed into UK law on Brexit. Given the practical difficulties of transferring data to and from EU member states without the GDPR or equivalent protections, the GDPR is likely to remain untouched post-Brexit. So, rather than Brexit, the key forthcoming development is likely to be the introduction of the GDPR itself. The Information Commissioner’s Officer has warned that organisations should not delay in preparing for the GDPR.
In the next edition of World@Work we will explore the key terms of the GDPR, its impact and what HR teams will need to do to prepare for its implementation.
Authors: Ruth Buchanan, Senior Associate; James Almond, Solicitor
