Proposed changes to European Data Protection Law and the impact of 'Brexit'
On 14 April 2016, after four years of drafting and negotiations, the General Data Protection Regulation (GDPR) has been adopted at the EU level. The GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation. In the UK it will replace the current Data Protection Act 1998.
The GDPR will have a significant and wide-ranging impact on businesses in all industry sectors, imposing new compliance obligations and promising significant sanctions for non-compliance.
Despite the result of the UK 'Brexit' referendum held on 23 June 2016, data protection standards are unlikely to be affected. Details of how and when the UK will negotiate its exit are still unclear and the process for withdrawal will likely take a minimum of 2 years. Only once the UK serves notice of its intention to exit the EU, using the formal legal procedure set out in Article 50 of the Treaty on European Union, will the process for withdrawal begin. As yet, no notice has been served and the UK government has given no indication of when a notice might be served. The GDPR is therefore highly likely to become law on 25 May 2018, regardless of the referendum result, and the UK will likely adopt the GDPR before any equivalent domestic legislation can be implemented.
As many businesses will want to trade in the EU once the UK formally leaves the EU, it is highly likely that the UK would seek to put in place a legal framework that reflects the GDPR. In particular, it appears that the UK would seek recognition as an 'adequate' jurisdiction in order to allow the free flow of data from the EU to the UK. The UK’s privacy regulator, the Information Commissioner’s Office (ICO), confirmed in a statement issued on 24 June 2016 that if the UK wants to trade with the single market on equal terms, the UK would have to prove ‘adequacy’. This essentially means that UK data protection standards would have to be equivalent to the GDPR framework.
EU law also has an extraterritorial effect, so a UK business targeting people in the EU would still be subject to EU data protection law even if the UK is no longer a member of the EU. Companies should therefore continue to prepare for, and start to comply with, the GDPR and will need to review and make adjustments to their compliance programs to reflect the fact that the UK will have a separate (albeit similar) data protection law to the EU.
Jaymini is an associate in the Corporate team.