logo text

Tuesday 28 June 2016

The Impact of Brexit on GDPR Implementation

On 23 June 2016, the UK held a referendum to decide upon its continued membership in the European Union. The referendum resulted in a 52: 48 majority of voters requesting the UK to withdraw its EU membership.

The UK is in a state of political turmoil following the referendum result. To some the vote to leave was great news, to others it is not.  Most of us are shocked. Whichever way you voted, we  are where we are, and need to look forwards, for now at least.

There is no doubt that many critical political, legal and economic decisions will have to be made by the UK Government in the coming weeks and months. In fact, the number of decisions that will have to be made in relation to every area of life and law is overwhelming, particularly given the huge implications of those decisions for the future of the UK, its European neighbours and, without overstating the impact, the world as a whole. 

From the data protection law perspective alone, Brexit has caused much uncertainty. Will the European General Data Protection Regulation (“GDPR”) still be implemented by the UK?  

Our View and the ICO’s View Remain Unchanged

Months before the referendum the ICO stated that, "the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU". The Regulator added "Our data protection laws precede EU legislation by more than a decade, and go beyond the current requirements set out by the EU, for instance with the power given to the ICO to issue fines. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and is also central to the sharing of data that international trade relies on". 

Whatever happens in the coming months and years, it is clear that focus on the economy will be of key importance for all.  Given the growth in the digital economy in the UK and elsewhere, clear data protection regulation should also remain a priority  focus and not be side-tracked by other, less pragmatic political agendas.

In our Pritchetts Spring Newsletter (see here) we discussed the impending referendum and expressed our now-unaltered opinion that, “whatever happens, the UK would probably aim to become an EU authorised 'Safe Country' or, as a country outside the EEA, would still be required to have some other kind of "adequate level of protection" in place to permit business with the EEA. Given that the current UK DPA has already been found inadequate by the EC, it is likely that significant change would be required to upgrade the current legislation and meet the enhanced requirements under the GDPR. The UK would therefore most likely have to bring in equivalent legislation to the GDPR, to continue doing any business in the EU which involves personal data transfers to/ between European business partners, group companies etc. The ICO's 'Keep Calm and Carry On' mantra therefore remains a good one when preparing for the GDPR.

The ICO’s response to the Referendum result, issued on 24 June 2016, maintains that approach.  It said: “The Data Protection Act remains the law of the land irrespective of the referendum result…  If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018… With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case… Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.

As appears to be the view of most of the UK’s (and indeed the EU’s) other leading privacy professionals, the Brexit vote is unlikely to change the need to implement the GDPR in the same or similar form. 

But what about timings?

As each new day unfolds, it becomes even less clear how and when exactly the UK will negotiate to exit from the EU.

This article from leading experts sets out why the UK Parliament need to be careful in considering when to pull the Article 50 “trigger” (of the Treaty on the European Union) to officially start our EU withdrawal.  As they have stated, “the timing of the issue of any Article 50 declaration has major implications for our bargaining position with other European States”. 

It is perhaps not surprising that David Cameron has passed that particular torch to whoever the new Prime Minister will be and that politicians on both sides of the remain and leave camps are not rushing to pull the trigger. In actual fact (and despite EU pressure to the contrary and the pressures of market instability), there is no legal limit on how long the UK can wait before it invokes Article 50.  Political commentary is currently suggesting it could be the end of 2016 before we see this notice served. Some politicians are going further, calling for a  wait until the next scheduled general election.  

Even when Article 50 is finally triggered, there is likely to be a long period of negotiation with the EU. Unless there is an agreement to conclude negotiations more quickly, that is then likely to take at least the 2 years afforded by Article 50. This time period can even be extended if all the EU countries  are unanimous that more time is needed. As Article 50 has never been tested before, we have no precedent to guide us as to what is actually most likely to happen next. We are all speculating and watching the unfolding political drama and press commentary with interest, and a degree of morbid fascination.

Leaving the negotiations around Brexit aside, the GDPR will become directly applicable law on all EU Member States on 25 May 2018. As it currently seems unlikely that the UK will have completed our exit from the EU before that date, it is probable that the GDPR will come into force on that date in the UK.  UK organisations will therefore need to continue their current GDPR readiness preparations, “as you were”.

While it is possible that some Eurosceptic MPs may later vote for the data protection legislation to be included in their inevitable bonfire of EU laws, hopefully the better -informed MPs will not take that view and will, instead:

(i) Remember that, as the ICO has pointed out, our UK data protection laws pre-dated EU laws on the same and are already stricter in some areas than the EU equivalent Directive. That is the case because these laws fundamentally exist to protect individuals; individuals like those very same MPs who may wish to throw them on the bonfire in protest. It has become ever-more important to reform the current laws, EU law aside, given the growth of technology, the growth of the world-wide digital marketplace, world-wide cyber security risks and also to counter pervasive and unwanted intrusions into our privacy and digital lives. Our data protection laws are fundamental to us all, whichever side of the EU camp you are on.  They are needed to protect the rights and freedoms of all UK citizens and are needed within a democratic and free society;

(ii) Listen to the sound advice of industry experts, who are well-voiced in the need to protect individuals, customers and employees world-wide by affording them their data protection rights; and

(iii) Listen to the views of their experienced Regulator, the ICO, who are best placed to advise on the need to press on with the reforms needed to our existing law.

Will the ICO’s views change after Christopher Graham leaves today?

UK Information Commissioner, Christopher Graham ends his post today, 28th June 2016 after 7 years as a very sensible and pragmatic chief. In Christopher Graham’s last annual report as Information Commissioner, delivered in London today, he references Brexit, again reiterating the same message that: “Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK… With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case…Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

Elizabeth Denham, previously the Information and Privacy Commissioner in British Columbia and Assistant Privacy Commissioner of Canada, looks set to have a daunting “To Do” list on her arrival as the new UK Information Commissioner.  It is widely believed that Ms Denham will continue to support the approach of her ICO staff and their predecessor, Christopher Graham.  She will undoubtedly also approach this gargantuan task from the perspective of international trading, given her experience across the pond.   

More generally, Elizabeth Denham is well known for her commitment to information rights.  This  includes her ground-breaking investigations into Facebook, her work to improve Google’s privacy standards, her track record on improving data protection practices within government in British Columbia as well as her proactive approach to the protection of privacy with major international companies.  We wish her much luck in her new role and are delighted to have such an experienced Regulator taking the helm of the ICO at such a stormy time for our country.

How Will Trade Negotiations have an impact?
So, assuming that the UK wants to continue obtaining personal data from organisations in the EU and/or offering products or services that require the processing of personal data about data subjects in the EU (whether that is as part of the EEA, the Single Market or otherwise), the UK would need to have a legal framework in place that reflects the GDPR and would enable us to become recognised as an “adequate” jurisdiction by the EU.  This is required in order to allow personal data flows between the EU and the UK to take place (see Article 3(2) of the GDPR).

In our view, it is inconceivable to think that this would not be desirable.  It is not just remote EU countries that we share employees and trade with – many of us have group companies, partner businesses or entrenched trusted service providers even across the small stretch of water (or indeed land in Northern Ireland) with our Irish counterparts. Even at this micro level, you can imagine the difficulties of not allowing personal data to flow in relation to employees or customers, never mind considering the wider picture in relation to the rest of our European counterparts. A UK adequacy decision from the EU will be imperative for businesses.

The exact detail of how that adequacy decision comes out will depend hugely on what direction the EU trade negotiations take.

Should the UK join the single market (such as the EEA or Norway models), the UK would have to adopt the GDPR in full by 25 May 2018, as is the current position.

If the UK should not join the single market or become outside the EEA, the Article 29 Working Party (the future European Data Protection Board) has previously made it clear to other countries outside the EEA that it will insist on a very high level of data protection when considering them for adequacy.  This has clearly been demonstrated in the recent debates that have arisen around transatlantic data trading via the now-defunct US Safe Harbor scheme and the new US Privacy Shield.  That whole debacle must surely serve as a warning to us about non-EEA businesses trading with the EEA.  Many other world-wide countries, such as  Japan most recently, have been going to extreme lengths to demonstrate their data protection adequacy standards to the EU in an attempt to become authorised as ‘adequate’ and to be able to move personal data more freely in and out of the EU to facilitate trade.

As stated above, in our previous newsletter, we were clear about our view that the current UK data protection legislation will certainly not be enough for an ‘adequacy’ decision. Firstly, it is based on the previous European Data Protection Directive which is being repealed. Secondly, the UK has never been viewed to even properly meet the standards of that old Directive. As the ICO has clearly pointed out, “reform of the UK law remains necessary.”

It is our strong view, therefore, that whatever direction trade negotiations with the EU take, the GDPR (or its UK equivalent) will be implemented in the UK. 

So What Should We Do Next?

We must keep a watching eye during our GDPR readiness preparations for how the Brexit negotiations progress. Depending on the UK’s negotiated exit position, we may in due course need to consider amending our data processing and data sharing agreements and arrangements to reflect the fact that the UK might end up with  a separate but, in all probability substantially similar data protection law. We can’t be more specific than that at the moment and the reality is that we all feel we are gazing into slightly murkier version of a crystal ball, but our view on the future of data protection is robust.  

None of us really know what the UK will look like post Brexit, or indeed if we will even have a United Kingdom. Will Scotland and Northern Ireland eventually separate and we’ll also need to consider our own international data transfer agreements with them? It seems unthinkable, but this could just be one of a million commercial and legal consequences.
While the waves roar and threaten to turn all we know on its head, we must steady this ship as best we can for the sake of commercial stability and a pragmatic approach to future-proofing our ability to trade on a worldwide stage.  Our Boards and Managers should be advised that: 
(i) the safest and best approach from a data protection compliance perspective is to continue carrying out our regular data protection audits and GDPR readiness gap analysis to ensure that we have the most robust data protection compliance framework in place.  
(ii) Our framework of policies, procedures, training and compliance personnel should help us not only to meet current UK standards but also the GDPR standards.  These GDPR standards will most likely, in our view, become law.  Even if we are wrong and the law is watered down slightly, it is still likely that the ICO as our Regulator will endorse the same principles as best practice standards. See our previous Blog article ‘GDPR Readiness – Where to Start’.
It is our view that changes to UK data protection law to bring it in line with the GDPR are coming one way or another.  Given the current choppy waters and the likelihood of the storm continuing for some time to come, most importantly perhaps, you should keep regularly reviewing your data protection compliance framework across all your business functions and operations to ensure you are able to adapt that framework regularly and as needed to cope with the unknown changes to come.
If you need any advice or support with your data protection compliance in general terms and in anticipation of the changes coming under the GDPR, please don’t hesitate to contact Pritchetts.