The House of Commons Library, which aims to provide impartial research and analysis to MPs and their staff, has published a briefing paper on the impact of Brexit on data protection law in the UK (“the Paper”).
The Paper summarises the background to EU data protection law and notes that inconsistent implementation of the Data Protection Directive (95/45/EC) across EU Member States led to the European Commission proposing a new legislative framework for data protection. In its now finalised form, this has two elements:
- The General Data Protection Regulation (Reg 2016/679), which came into force 24 May 2016, with a two-year implementation period (“GDPR”); and
- The Directive on data transfers for policing and judicial purposes (2016/680/EU), which came into force 5 May 2016, and must be transposed into national law by Member States by 6 May 2018
The GDPR will apply in the UK from 25 May 2018, although part of the Data Protection Act 1998 will need to be repealed to avoid any duplications or inconsistencies with the GDPR. Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union earlier this year that the Government “will bring forward legislation in the next session in order to put that into practice”. The Queen’s Speech of 21 June 2017, also introduced a new Data Protection Bill which “will ensure that the United Kingdom retains its world-class regime protecting personal data”. (See our recent blog on this for further details.)
The key concern for businesses processing personal data is what will happen after the UK leaves the EU, in particular in relation to data transfers to the UK. The Paper explains that currently, under the EU’s data protection framework, any country other than a Member State of the EU and EEA is classed as a ’third country’, and personal data can only be transferred to a third country where an adequate level of protection is guaranteed. One option is for the European Commission to make an “adequacy decision” for the UK so that data can flow from EU/EEA Member States. The Paper notes that in his evidence to the Lords Select Committee, Hancock confirmed that the Government is “keen to ensure that data flows are unhindered” when the UK leaves the EU, and that it “wants an arrangement that provides for the unhindered exchange of data, within an appropriate data protection environment”. He agreed that an adequacy decision of the European Commission could work, although noted that there are many ways in which data flows might be achieved. However, no further details were provided regarding potential options for this, in case it fettered discussion in future Brexit negotiations.
Elizabeth Denham, the Information Commissioner, when giving her evidence to the Lords Select Committee, suggested that an adequacy decision would be the best way forward because “it is the most straightforward arrangement for the commercial sector and certainly for citizens and consumers who want their data transferred and interchanged between the EU and the UK”.
The Paper notes that concerns have been expressed as to whether the UK’s data protection regime will be considered “adequate”, and evidence given by the Information Commissioner, as well as by several academics and lawyers, to the Lords Select Committee suggests that it may not be possible to achieve adequacy on day-one post-Brexit because of the legal process involved. In any event, however, the European Commission may not technically be able to make an adequacy decision in relation to the UK until it actually becomes a “third country”, which will not happen until the UK leaves the EU.
Although the Paper does not provide any firm conclusions regarding data protection in the UK post-Brexit, the following points can be noted:
- The impact of the GDPR in the UK will very much depend on what businesses have done to date to comply with the current regime under the Data Protection Act 1998. Those companies that handle data appropriately, have good cybersecurity arrangements in place, and respect individuals’ privacy, should not find this too much of a burden. However, there will be resource implications for those companies that don’t currently operate within best practice. The GDPR also impacts on regulators, including the UK’s Information Commissioner’s Office, as they will have work to do to ensure they have the resources and power to enforce the GDPR’s implementation.
- The issue of data transfers to the UK post-Brexit continues to be a real concern for businesses, supported by the view of politicians and legal academics alike, in that while an adequacy decision in the UK’s favour is one option, this is still a very formal legislative process which will take a lot of work to achieve and, potentially, take a long time. It therefore cannot necessarily be viewed as a straightforward option, and is one that could leave a large gap for UK businesses that need to receive data from the EU/EEA. The UK Government will therefore arguably need to consider what transitional arrangements may be required to give some certainty to both businesses and individuals on the UK’s position in relation to data protection immediately post-Brexit.