So what changed on June 23, 2016? Maybe everything, and then again, maybe nothing at all. The UK is leaving the EU. While this decision will have far reaching implications for years to follow, it may be far less impactful for data protection laws, at least in the short term.
While the result is far too early to tell, the most logical result of Brexit is that not very much will change at all. The EU's latest data protection laws are known as the General Data Protection Regulations ("GDPR"). They become enforceable in 2018, and prior to Brexit becoming official, all companies in the EU were ramping up to comply with the GDPR. The GDPR was intended to supplant the EU's Data Protection Directive, under which the UK adopted its Data Protection Act of 1998 (the "DPA"), and the GDPR is the most comprehensive and restrictive set of data protection laws the world has seen to date.
Even if the UK doesn't want to adhere to the GDPR by 2018 (assuming Brexit is official by then), the UK practically may be required to adhere to it. If the UK intends to remain with the European Economic Area ("EEA") so that it may freely trade with the remaining EU countries, the UK must, as a condition for such free trade rights, adhere to a number of EU laws, including the GDPR. For this reason alone, it's hard to imagine that the UK would soon enact vastly different data protection rules that would not be in harmony with the GDPR. This is especially true given the ever-growing dependency of all companies, including UK companies, on the global nature of digitized information in and out of their borders. If the UK decides to leave the EEA, it will not be alone. Switzerland is neither an EU nor EEA member, but is part of a the "single market," meaning Swiss citizens have the same rights to live and work in the EEA as other EEA nationals.
What is unclear is whether this adherence to EU laws, and specifically the GDPR, will remain viable in the long-term. Since the UK had a voice in drafting the current iteration of the GDPR, future changes to it and other privacy laws may be more difficult for the UK to swallow. If it remains part of the EEA, the UK will be required to adhere to all future EU laws with respect to data protection without having a voice in the process.
Let's now suppose that the UK elects to not follow the GDPR in the short-term. In such case, the DPA will remain the law of the UK after the exit is official, unless the UK implements different data protection standards between now and then. If the UK enacts its own laws that are less restrictive than the GDPR, transfer of personal data from the EU to the UK would be restricted unless the UK provides evidence that it has adequate levels of protection (translated: equivalent levels of protection to the GDPR). Since many businesses in the UK are well down the road of trying to comply with the GDPR by the enforcement date of 2018, it seems unlikely that the UK would change its data protection laws in any meaningful way between now and then, even with Brexit looming.
The days ahead will prove to be turbulent, but likely not any more so for privacy professionals. The GDPR has been at the forefront since its enactment in 2015, and it seems unlikely that Brexit will change that. Stay tuned for more!
© 2022 Ward and Smith, P.A.
This article is not intended to give, and should not be relied upon for, legal advice in any particular circumstance or fact situation. No action should be taken in reliance upon the information contained in this article without obtaining the advice of an attorney.