On 23 June 2016, the UK held a referendum to decide upon its
continued membership in the European Union. The referendum resulted in a 52: 48
majority of voters requesting the UK to withdraw its EU membership.
The UK is in a state of political turmoil following the referendum result. To some the vote to leave was great news, to others it is not. Most of us are shocked. Whichever way you voted, we are where we are, and need to look forwards, for now at least.
There is no doubt that many critical political, legal and
economic decisions will have to be made by the UK Government in the coming
weeks and months. In fact, the number of decisions that will have to be made in
relation to every area of life and law is overwhelming, particularly given the
huge implications of those decisions for the future of the UK, its European
neighbours and, without overstating the impact, the world as a whole.
From the data protection law perspective alone, Brexit has caused
much uncertainty. Will the European General Data Protection Regulation (“GDPR”) still be implemented by the UK?
Our View and the ICO’s
View Remain Unchanged
Months before the referendum the ICO stated that, "the UK will continue to need clear and
effective data protection laws, whether or not the country remains part of the
EU". The Regulator added "Our
data protection laws precede EU legislation by more than a decade, and go
beyond the current requirements set out by the EU, for instance with the power
given to the ICO to issue fines. Having clear laws with safeguards in place is
more important than ever given the growing digital economy, and is also central
to the sharing of data that international trade relies on".
Whatever happens in the coming months and years, it is clear
that focus on the economy will be of key importance for all. Given the growth in the digital economy in
the UK and elsewhere, clear data protection regulation should also remain a priority
focus and not be side-tracked by other,
less pragmatic political agendas.
In our Pritchetts Spring Newsletter (see here) we discussed the impending referendum
and expressed our now-unaltered opinion that,
“whatever happens, the UK would probably
aim to become an EU authorised 'Safe Country' or, as a country outside the EEA,
would still be required to have some other kind of "adequate level of
protection" in place to permit business with the EEA. Given that the
current UK DPA has already been found inadequate by the EC, it is likely that
significant change would be required to upgrade the current legislation and
meet the enhanced requirements under the GDPR. The UK would therefore most
likely have to bring in equivalent legislation to the GDPR, to continue doing
any business in the EU which involves personal data transfers to/ between
European business partners, group companies etc. The ICO's 'Keep Calm and Carry
On' mantra therefore remains a good one when preparing for the GDPR.”
The ICO’s
response to the Referendum result, issued on 24 June 2016, maintains that
approach. It said: “The
Data Protection Act remains the law of the land irrespective of the referendum
result… If the UK is not part of the EU,
then upcoming EU reforms to data protection law would not directly apply to the
UK. But if the UK wants to trade with the Single Market on equal terms we would
have to prove 'adequacy' - in other words UK data protection standards would
have to be equivalent to the EU's General Data Protection Regulation framework
starting in 2018… With so many businesses and services operating across
borders, international consistency around data protection laws and rights is
crucial both to businesses and organisations and to consumers and citizens. The
ICO’s role has always involved working closely with regulators in other
countries, and that would continue to be the case… Having clear laws with
safeguards in place is more important than ever given the growing digital
economy, and we will be speaking to government to present our view that reform
of the UK law remains necessary.”
As appears to be the view of most of the UK’s (and indeed
the EU’s) other leading privacy professionals, the Brexit vote is unlikely to change the need to implement the GDPR in
the same or similar form.
But what about
timings?
As each new day unfolds, it becomes even less clear how and
when exactly the UK will negotiate to exit from the EU.
This article
from leading experts sets out why the UK Parliament need to be careful in
considering when to pull the Article 50 “trigger” (of the Treaty on the
European Union) to officially start our EU withdrawal. As they have stated, “the timing of the issue of any Article 50 declaration has major
implications for our bargaining position with other European States”.
It is perhaps not surprising that David Cameron has passed
that particular torch to whoever the new Prime Minister will be and that
politicians on both sides of the remain and leave camps are not rushing to pull
the trigger. In actual fact (and despite EU pressure to the contrary and the
pressures of market instability), there is no legal limit on how long the UK
can wait before it invokes Article 50. Political
commentary is currently suggesting it could be the end of 2016 before we see
this notice served. Some politicians are going further, calling for a wait until the next scheduled general
election.
Even when Article 50 is finally triggered, there is likely
to be a long period of negotiation with the EU. Unless there is an agreement to
conclude negotiations more quickly, that is then likely to take at least the 2
years afforded by Article 50. This time period can even be extended if all the
EU countries are unanimous that more
time is needed. As Article 50 has never been tested before, we have no
precedent to guide us as to what is actually most likely to happen next. We are
all speculating and watching the unfolding political drama and press commentary
with interest, and a degree of morbid fascination.
Leaving the negotiations around Brexit aside, the GDPR will
become directly applicable law on all EU Member States on 25 May 2018. As it
currently seems unlikely that the UK will have completed our exit from the EU
before that date, it is probable that the GDPR will come into force on that
date in the UK. UK organisations will therefore
need to continue their current GDPR readiness preparations, “as you were”.
While it is possible that some Eurosceptic MPs may later
vote for the data protection legislation to be included in their inevitable
bonfire of EU laws, hopefully the better -informed MPs will not take that view
and will, instead:
(i) Remember that, as the ICO has pointed out, our UK data
protection laws pre-dated EU laws on the same and are already stricter in some
areas than the EU equivalent Directive. That is the case because these laws fundamentally
exist to protect individuals; individuals like those very same MPs who may wish
to throw them on the bonfire in protest. It has become ever-more important to
reform the current laws, EU law aside, given the growth of technology, the growth
of the world-wide digital marketplace, world-wide cyber security risks and also
to counter pervasive and unwanted intrusions into our privacy and digital lives.
Our data protection laws are fundamental to us all, whichever side of the EU camp
you are on. They are needed to protect
the rights and freedoms of all UK citizens and are needed within a democratic
and free society;
(ii) Listen to the sound advice of industry experts, who are
well-voiced in the need to protect individuals, customers and employees world-wide
by affording them their data protection rights; and
(iii) Listen to the views of their experienced Regulator,
the ICO, who are best placed to advise on the need to press on with the reforms
needed to our existing law.
Will the ICO’s views
change after Christopher Graham leaves today?
UK Information Commissioner, Christopher Graham ends his
post today, 28th June 2016 after 7 years as a very sensible and
pragmatic chief. In Christopher
Graham’s last annual report as Information Commissioner, delivered in
London today, he references Brexit, again reiterating the same message that: “Over the coming weeks we will be discussing
with Government the implications of the referendum result and its impact on
data protection reform in the UK… With so many businesses and services
operating across borders, international consistency around data protection laws
and rights is crucial both to businesses and organisations and to consumers and
citizens. The ICO’s role has always involved working closely with regulators in
other countries, and that will continue to be the case…Having clear laws with
safeguards in place is more important than ever given the growing digital economy,
and we will be speaking to government to present our view that reform of the UK
law remains necessary.”
Elizabeth Denham, previously the Information and Privacy
Commissioner in British Columbia and Assistant Privacy Commissioner of Canada,
looks set to have a daunting “To Do” list on her arrival as the new UK
Information Commissioner. It is widely
believed that Ms Denham will continue to support the approach of her ICO staff and
their predecessor, Christopher Graham.
She will undoubtedly also approach this gargantuan task from the
perspective of international trading, given her experience across the pond.
More generally, Elizabeth Denham is well known for her commitment
to information rights. This includes her ground-breaking investigations
into Facebook, her work to improve Google’s privacy standards, her track record
on improving data protection practices within government in British Columbia as
well as her proactive approach to the protection of privacy with major
international companies. We wish her
much luck in her new role and are delighted to have such an experienced Regulator
taking the helm of the ICO at such a stormy time for our country.
How Will Trade
Negotiations have an impact?
So, assuming that the UK wants to continue obtaining
personal data from organisations in the EU and/or offering products or services
that require the processing of personal data about data subjects in the EU (whether
that is as part of the EEA, the Single Market or otherwise), the UK would need
to have a legal framework in place that reflects the GDPR and would enable us
to become recognised as an “adequate” jurisdiction by the EU. This is required in order to allow personal data
flows between the EU and the UK to take place (see Article 3(2) of the GDPR).
In our view, it is inconceivable to think that this would
not be desirable. It is not just remote
EU countries that we share employees and trade with – many of us have group
companies, partner businesses or entrenched trusted service providers even across
the small stretch of water (or indeed land in Northern Ireland) with our Irish
counterparts. Even at this micro level, you can imagine the difficulties of not
allowing personal data to flow in relation to employees or customers, never
mind considering the wider picture in relation to the rest of our European
counterparts. A UK adequacy decision from the EU will be imperative for
businesses.
The exact detail of how that adequacy decision comes out
will depend hugely on what direction the EU trade negotiations take.
Should the UK join the single market (such as the EEA or
Norway models), the UK would have to adopt the GDPR in full by 25 May 2018, as
is the current position.
If the UK should not join the single market or become
outside the EEA, the Article 29 Working Party (the future European Data
Protection Board) has previously made it clear to other countries outside the
EEA that it will insist on a very high level of data protection when
considering them for adequacy. This has
clearly been demonstrated in the recent debates that have arisen around
transatlantic data trading via the now-defunct US Safe Harbor scheme and the
new US Privacy Shield. That whole
debacle must surely serve as a warning to us about non-EEA businesses trading
with the EEA. Many other world-wide
countries, such as Japan most recently, have
been going to extreme lengths to demonstrate their data protection adequacy
standards to the EU in an attempt to become authorised as ‘adequate’ and to be
able to move personal data more freely in and out of the EU to facilitate trade.
As stated above, in our previous newsletter, we were clear
about our view that the current UK data protection legislation will certainly not
be enough for an ‘adequacy’ decision. Firstly, it is based on the previous
European Data Protection Directive which is being repealed. Secondly, the UK
has never been viewed to even properly meet the standards of that old
Directive. As the ICO has clearly pointed out, “reform of the UK law remains necessary.”
It is our strong view, therefore, that whatever direction
trade negotiations with the EU take, the GDPR (or its UK equivalent) will be
implemented in the UK.
So What Should We
Do Next?
We must keep a watching eye during our GDPR readiness
preparations for how the Brexit negotiations progress. Depending on the UK’s
negotiated exit position, we may in due course need to consider amending our
data processing and data sharing agreements and arrangements to reflect the
fact that the UK might end up with a
separate but, in all probability substantially similar data protection law. We
can’t be more specific than that at the moment and the reality is that we all feel
we are gazing into slightly murkier version of a crystal ball, but our view on
the future of data protection is robust.
None of us really know what the UK will look like post Brexit, or indeed if we will even have a United Kingdom. Will Scotland and Northern Ireland eventually separate and we’ll also need to consider our own international data transfer agreements with them? It seems unthinkable, but this could just be one of a million commercial and legal consequences.
While the waves roar and threaten to turn all we know on its
head, we must steady this ship as best we can for the sake of commercial
stability and a pragmatic approach to future-proofing our ability to trade on a
worldwide stage. Our Boards and Managers
should be advised that:
(i) the safest and best approach from a data protection
compliance perspective is to continue carrying out our regular data protection audits
and GDPR readiness gap analysis to ensure that we have the most robust data
protection compliance framework in place.
(ii) Our framework of policies,
procedures, training and compliance personnel should help us not only to meet
current UK standards but also the GDPR standards. These GDPR standards will most likely, in our
view, become law. Even if we are wrong
and the law is watered down slightly, it is still likely that the ICO as our Regulator
will endorse the same principles as best practice standards. See our previous
Blog article ‘GDPR Readiness – Where to Start’.
It is our view that changes to UK data protection law to bring it in line with the GDPR are coming one
way or another. Given the current choppy waters and the likelihood of the storm continuing for some time to come, most importantly
perhaps, you should keep regularly reviewing your data protection compliance framework
across all your business functions and operations to ensure you
are able to adapt that framework regularly and as needed to cope with the unknown
changes to come.
If you need any
advice or support with your data protection compliance in general terms and in
anticipation of the changes coming under the GDPR, please don’t hesitate to contact Pritchetts.