For many British citizens one of the main reasons stated for voting to leave Europe is that the UK would no longer be forced to adopt EU laws, including the European General Data Protection Regulation (GDPR).
This might come as good news to businesses concerned by the stringent requirements and enormous fines (up to four per cent worldwide annual turnover or €20m), whether or not their leaders had voted to leave the EU. However, escaping the provisions of the GDPR appears to be less likely.
In a complex relationship with so many moving parts, it is virtually impossible to predict the full ramifications of a Brexit. However, in the light of recent events in the privacy sphere, such as the evolution of the draft GDPR, abolition of the US Safe Harbour, and proposed adoption of the UK Investigatory Powers Bill (and equivalent surveillance legislation in other jurisdictions) the data protection consequences may be a little more ascertainable.
Britain and the EU are inextricably linked through a complex web of trading relationships which, to survive a Brexit, would depend on both sides concluding effective trade agreements. The nature of such agreements would depend on the deal negotiated between the UK and the remaining member states. Parties on both sides of the Channel are likely to be motivated to reach a swift agreement to continue benefiting from the ability to exploit each other’s markets.
One potential solution might be for the UK to join the European Economic Area (EEA). Under current data protection law, enshrined in the Data Protection Directive 95/46/EC (Directive), organisations are prohibited from transferring personal information concerning their employees, customers and suppliers outside the EEA to jurisdictions that do not provide adequate protection.
By the same token, organisations in the EEA may freely share data between one another. However, EEA membership requires the adoption of most EU laws, as well as allowing the free movement of individuals across EEA borders. Given that the UK’s ability to make its own laws and enforce its own borders are key drivers for voting to leave the EU, joining the EEA may not be an appealing option.
A more attractive solution may be to forgo EEA membership but enter into a series of bilateral agreements with the European Union (the approach taken by Switzerland).
An issue that would have to be agreed between the UK and the remaining member states would be the UK’s status as an ‘approved country’ for the purposes of data protection law. It should not be assumed that Britain would automatically be designated an ‘approved country’.
There are two main reasons for this assertion. Firstly, the European Commission has already expressed concerns that the UK Data Protection Act 1998 (DPA) does not fully implement the Directive, and secondly, the UK Investigatory Powers Bill (aka the Snoopers’ Charter) could enable the same type of mass surveillance that led to the demise of the US Safe Harbour.
Assuming the mass-surveillance hurdle could be overcome (which the failure of the US Safe Harbour and ongoing challenges to the Privacy Shield demonstrate is by no means a forgone conclusion), the DPA would require considerable reform to optimise the chances of a post-Brexit UK being approved by the EU.
It would make sense to follow a GDPR-type model, especially since the extra-territorial reach of the GDPR would mean that its provisions (including the substantial fines) would still apply to UK organisations whose goods and services are directed at EU citizens, even if Britain was no longer a member state.
For businesses concerned about the risk, but unsure how to address the uncertainty, it seems likely that, if Britain were to exit the EU, at the very least the DPA would require significant reinforcement to avoid the UK being deemed an unsafe third country.
It would make sense to bring the DPA into line with the GDPR, and regardless of any reform, UK businesses selling products and services to EU citizens may still be subject to the GDPR thanks to its extra-territorial reach.
Unfortunately, it appears that, while Britain may leave the EU, the GDPR (or something very much like it) is here to stay. (also published on Global Law)