Now that the UK has voted to leave the EU, what is the future for the UK’s data protection regime?
Data protection framework
All businesses handle personal data, whether relating to their employees, customers or suppliers. Data protection rules cover what organisations can do with such data and how it must be kept secure.
The current UK data protection regime is in the Data Protection Act 1998, which implements the EU Data Protection Directive 1995. These will continue to apply while the UK is in the EU.
Whether the UK‘s data protection regime would be impacted by Brexit depends on the terms and timing of the UK and EU’s divorce. Companies with cross border data flows should already be preparing for the EU’s forthcoming General Data Protection Regulation, which will have effect from 2018 and apply to the UK if it is still in the EU at this time.
See our article http://www.ts-p.co.uk/publications/data-protection for further information on the upcoming regulations.
After leaving the EU, if the UK opts to remain in the European Economic Area (the EEA), the Norway approach, then the Directive will continue to apply to the UK as a member of the EEA.
If the UK leaves the EEA it could, theoretically, choose to change its data protection laws and diverge from the rest of the EU, it this was deemed desirable by the then government.
Implications for data sharing if UK leaves EEA
Both the current and forthcoming EU data protection regimes permit the transfer of personal data within the EEA but very tightly regulate transfers outside of the EEA. If the UK were to end up outside of the EEA, there would be significant challenges to businesses’ ability to share data across Europe.
EU rules prevent the transfer of data to countries outside the EEA unless it can be shown that such countries have adequate data protection laws. The EU Commission is tasked with identifying whether a country has adequate data protection safeguards. So post Brexit, only if UK is deemed to have adequate safeguards it will be able to continue sharing data with EEA countries with the same ease at it does now.
If the EU decides that the UK does not have adequate safeguards (which might occur if the UK were to water down its data protection measures) this could cause many problems. For example if a German based multinational company needed to supply details relating to EU clients to a UK data centre, it would not be able to do so unless certain EU criteria were met. Such hurdles could force companies to move their EU data centres to more attractive locations within the EU.
In 2015 the US lost its adequacy status, requiring individual US companies to undergo lengthier compliance processes. Therefore the availability of adequacy status for the UK is not guaranteed.
If the UK were to ease its data protection laws, it could make it easier to exchange data with non-EU countries and so a more attractive as a destination for business. But increasingly non-EU countries, such as Singapore, are adopting data protection laws that follow the EU model (in order to gain access to EU data). As a condition of being granted access, such countries have had to introduce export controls to prevent EU data reaching jurisdictions considered unsafe, which could include the UK in this scenario.
The risks of the UK watering down its data protection regime post Brexit are wide ranging, whereas maintaining the current levels of protection based on EU standards would be the best way to ensure that businesses can still easily transfer data outside the UK. But how does this sit with the fact that the UK just voted leave to ‘free’ itself from having to comply with EU laws?
If you have any further questions regarding the impact of Brexit on the data law, please do not hesitate to contact Senior Associate, Ben Stepney or Trainee Solicitor Naadim-Khan Samji of at Thomson Snell & Passmore LLP on 01892 701359 or at firstname.lastname@example.org or email@example.com.