By Alan Meneghetti, Esq. of Locke Lord LLP
In immediate response to the outcome of the recent referendum in the United Kingdom (UK) to leave the European Union (EU), the UK’s data protection regulator, the Information Commissioner’s Office (ICO) released the following statement confirming the UK’s current and future position:
“The Data Protection Act remains the law of the land irrespective of the referendum result. If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
Despite the UK’s vote to leave the EU on June 24, 2016 (commonly referred to as Brexit), the EU General Data Protection Regulation (GDPR), which comes into force directly across the EU on May 25, 2018, remains relevant to the UK for a number of reasons set out below.
In order to leave the EU, a formal process must be followed commencing with the activation of Article 50 of the 2009 Lisbon Treaty. Once this has occurred, the UK and the remaining member states of the EU must negotiate the UK’s exit. These negotiations are required to be completed within two years (unless extended by the agreement of the European Council and the UK). As the GDPR will come into force on May 25, 2018, this means that, in all probability, the UK will still be a member of the EU when the GDPR comes into force and, as such and by virtue of the European Communities Act of 1972, the GDPR will apply directly into UK domestic law on May 25, 2018.
If the UK does indeed leave the EU and the UK subsequently elects not to retain the GDPR (whether in whole or in part), as the ICO has stated: “The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.” It seems unlikely that the UK will then embark upon a wholescale redrafting of its data protection legislation given the fact that it already has, in the GDPR, an instrument which is fit for purpose, as well as one in which it played a major role in negotiating and which, if followed, would align the UK’s legal position on data protection with that of its European neighbor’s, opening the door to a finding that the UK, notwithstanding that it was not a member of the EU, was a territory which provided an adequate level of protection under Article 45 of the GDPR.
Impact of the GDPR on the UK now
Data protection across the EU and European Economic Area (EEA) is regulated by national laws implementing EU Directive 95/46/EC (the Directive), which in the UK is currently (and until the coming into force of the GDPR on May 25, 2018) the Data Protection Act 1998 (DPA). As the UK will almost certainly still be a member of the EU on May 25, 2018, on this date the GDPR will immediately supersede the DPA and apply to the UK until such a time as it formally leaves the EU, following the activation of Article 50 of the 2009 Lisbon Treaty.
The timetable for a Brexit (and, for that matter, whether there will be a Brexit) is, at the time of writing, uncertain. The real impact of the GDPR in the UK depends on how any exit negotiations between the UK and EU develop; the GDPR may be in force in the UK for as little as a few weeks, a few months, or potentially a few years. After the point at which the UK is no longer a member of the EU and the GDPR and all other EU laws are no longer directly applicable to the UK, the GDPR will need to be replaced by a new UK domestic law. For the reasons noted above, it is difficult to see how this would be anything other than significantly similar to the GDPR.
Reform going forward
Between now and the date of any Brexit, Her Majesty’s Parliament faces various options for how to deal with EU legislation, including the GDPR. In the future, for example, the Parliament could keep the DPA in its existing form or revise it, introduce new UK legislation in broadly similar terms to the GDPR or depart from the EU’s approach to data protection entirely.
The UK’s Information Commissioner, Christopher Graham has stressed that these reforms to the existing data protection regime (as contained in the DPA) would need to continue despite the UK’s exit:
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”