Brexit and data protection in the UK

If the UK is to leave the EU in the foreseeable future, there will be a huge – and so far unquantified – legislative burden. Although individual elements of that may themselves appear insignificant, many are capable of having serious economic impact. They are tripwires in a minefield.

Data protection legislation has already been identified by the UK Information Commissioner as needing careful consideration in the Brexit process. I suspect that the government’s Brexit Department has been overwhelmed with other similar problems, and when they finally have sufficient staff and premises to start looking at these, I fear that data protection will get put low down in the pile. That would have serious consequences.

At present, the UK’s data protection legislation is centred on the ancient and now seriously flawed Data Protection Act 1998. Drafted in a different era, its heart is in the right place, and it does (with a bit of later adjustment) meet current EU requirements. But it was never fit for purpose in the twenty-first century.

More importantly, it is woefully insufficient to comply with the new EU General Data Protection Regulation – the GDPR, or more properly Regulation (EU) 2016/679. Until the UK referendum result was known, many UK businesses were preparing themselves to address the additional and enhanced provisions of the GDPR.

Unlike the previous EU directive (95/46/EC), which had to be implemented in national legislation such as the UK’s Data Protection Act, the GDPR is the regulation, and will have the force of law without national legislation. We are already, technically, subject to it, as we have entered the two year transition period for it to come into full force. From 25 May 2018, the GDPR will have the force of law throughout the EU, including the UK assuming that it has not completed its Article 50 departure before then (which seems extremely unlikely).

So for a period, from 25 May 2018 until the UK’s intended departure from the EU, perhaps in early 2019, the current Data Protection Act will have to be repealed or suspended, in order for the GDPR to supercede it.

Once the UK has left the EU, though, as the GDPR is not implemented in national legislation, the UK will then be left without modern data protection law.

This is a problem for all UK companies and organisations which have to comply with data protection law – in other words, every company and organisation which handles the personal data of EU residents.

Whenever the UK might leave the EU and the GDPR ceases to have the force of law in the UK, the UK’s Data Protection Authority will cease to exist as far as the EU is concerned. UK companies and organisations which have to comply with the GDPR will then have to work through an EU Data Protection Authority, such as that in Ireland, should it have the capacity to take such a great workload on. As many other non-EU companies and organisations will also need to work through EU Data Protection Authorities, there will be no shortage of that work.

The data protection situation in the UK on Brexit will, though, be dire. If the ancient Data Protection Act 1998 were to be resuscitated (or un-suspended), trying to comply with its requirements and those of the GDPR would be a nightmare, but all companies and organisations handling the personal data of EU residents would have to do so. The chances of the UK parliament drafting and approving a replacement which is compatible with the GDPR – in the midst of the massive legislative burden imposed by other aspects of Brexit – seem nil.

As a result, on Brexit, the UK could well be left without any data protection legislation which applies to its own citizens.

Unltimately, the UK would need to negotiate its own legislative equivalent of the GDPR which the EU might then accept, much in the way that the US Privacy Shield should work. As we have seen, that is not an easy matter, and would require UK legislation as well – and would almost certainly not happen for some years after Brexit took effect.

So for all UK companies and organisations which handle the personal data of EU residents, this is the new roadmap for data protection compliance:

  • until 25 May 2018, comply with existing UK legislation, prepare for GDPR compliance;
  • from 25 May 2018, register under GDPR with the UK’s Data Protection Authority;
  • on Brexit, perhaps early 2019, register with Irish or another EU Data Protection Authority under GDPR, and comply with non-existent UK national law for non-EU data.

The outcome for most UK companies and organisations after Brexit will, as in so many other matters, have increased their compliance overheads, not reduced them.

If this all seems immaterial, the fines which can be imposed under GDPR have maxima of €10-20 million, or 2-4% of the annual worldwide turnover, whichever is the greater. And failure to embrace GDPR will make it impossible to do business in the EU, if that business involves protected data.

For UK citizens who are not resident in the EU, the personal roadmap for our data to be protected reads:

  • until 25 May 2018, covered under the UK Data Protection Act 1998;
  • from 25 May 2018, covered under the EU GDPR;
  • on Brexit, perhaps early 2019, probably not covered by any legislation, unless that is enacted prior to Brexit.

I have a feeling that data protection is a microcosm of many other similar areas. Don’t you?