Brexit will not affect data protection laws

There has been a lot of confusion and fear mongering around the implications of Brexit to data protection law.

However, despite the current media frenzy, nothing will actually change in the short term. The Data Protection Act 1998 is an Act of UK Parliament and remains the law of the land regardless of the UK’s EU status. The ICO made this point clear when it released a prompt statement on 24 June:

“The Data Protection Act remains the law of the land irrespective of the referendum result.”

In other words, for at least the next two years there will effectively be no changes to data protection laws.

Brexit and GDPR

As we have reported, the European Union will likely sign General Data Protection Regulation (GDPR) into law in 2016. The regulation represents the most significant global development in data protection law since the EU Data Protection Directive in 1995 and, due to the sweeping changes, firms are already investing serious resources in preparation for GDPR.

The crux is that a “regulation”, unlike a “directive”, is applicable in all EU member states without the need for national legislation. The expected enforcement date is spring 2018, right around the expected official Brexit date. With the UK leaving the EU, technically GDPR no longer applies and the UK is not currently working on a similar update to its data protection laws.

Therefore, the question on everybody’s mind is: will UK companies need to adhere to GDPR after Britain exits the union?

The likely answer is yes. GDPR, or some form of it, will be binding for UK companies regardless of Brexit, and companies should continue preparing for the regulations. There are two main reasons for this.

1. GDPR applies to non-EU companies

The regulation states that it applies to any non-EU companies that process the data of EU residents. This is true even if a company has no physical presence in the EU. Therefore, for most UK companies, the cost of doing business with Europe will be adhering to GDPR.

2. The ICO intends to introduce ‘adequacy’

According to the ICO statement from 24 June 2016:

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”

The ICO is signalling that it will push the UK legislature to implement laws that are similar to GDPR in order to facilitate cross-border commerce.

The danger here is that the ICO might have to negotiate a ‘Model Clause’ contract that companies can use to facilitate and regulate transfer of data between EU and non-EU countries. This process has been fraught with issues in US-EU relations, with the European Court of Justice overturning the Safe Harbour treaty in October and officials scrambling to negotiate the new EU-US Privacy Shield.

Alternatively, Parliament will implement data protection laws that are identical or similar enough to the GDPR. In that scenario the UK and EU could come to an understanding that data can flow securely and freely across borders without the need for companies to have Model Clauses.

Next steps

In spite of Brexit, companies should continue preparing for GDPR as if Remain won the referendum. If you are responsible for implementing compliance with GDPR and you do not know where to start, the ICO has published a guide with 12 steps to take right now in order to prepare for the GDPR.