01 September 2017

Brexit: Impact on data protection

As negotiations for the UK’s withdrawal from the EU are now underway we look at what this process could mean specifically for the business-critical asset of data and the compliance space around data protection.

The current proposed approach of the European Union (Withdrawal) Bill is to repeal the European Communities Act 1972 (ECA) and then incorporate all EU laws into UK domestic law ‘where practical’ to ensure no unintentional gaps are left by the repeal of the ECA. 

The aim being that this will allow for gradual adjustment of each piece of incorporated EU law on a topic by topic basis following the Brexit date of actual separation rather than the impractical task of requiring every adjustment to be completed by that deadline date.  This will also mean a focus can be brought to bear on the issues which need new legislation immediately upon the Brexit date, such as customs or immigration rules to meet the negotiated position.

Given the British Government’s lack of a parliamentary majority, passing the EU Withdrawal Bill is now looking like a very difficult part of the Brexit process in itself.  It is likely to face significant challenges and amendments before achieving Royal Assent by March 2019.  Likewise, legislative changes required in any of the other 27 Member States as a result of the negotiations are also going to need their domestic parliamentary approval.

EU Treaties and Regulations are forms of legislation which are directly applicable, having an automatic status of law applicable in each Member State.  Where EU institutions have exclusive competence they tend to use Regulations as a legislative instrument as, generally speaking, these will have direct effect throughout all Member States without requiring any further domestic implementing legislation being put in place. 

Directives are the legislative instrument which tends to be used, instead of the Treaties or Regulations, in instances of attempts to harmonise laws across the EU.  It puts the onus on each Member State to implement domestic legislation to achieve the desired harmonised approach.  This is usually in relation to topics on which the EU institutions do not have exclusive competence.

Data protection compliance in the UK is currently based on the Data Protection Act 1998 (DPA) – a UK statute implementing the UK’s interpretation of a 1995 European Directive.   Drafted at a time when the internet was a brand new phenomenon that most of us hadn’t yet seen, let alone become dependent on, one might well argue this area of law was due for a refresh.

Given that the originating legislation was a Directive at a European level, each Member State essentially got the leeway to implement its own version of that law.  So to date each Member State has also had its own version of the UK’s Data Protection Act.

In an effort to achieve a more harmonised approach to data protection, the EU have been negotiating for the last few years in an effort to reach agreement on the new General Data Protection Regulation (GDPR), to have that effect of the same law applying in every Member State.  Now that means a negotiation involving representatives from all 28 Member States and as you can imagine that takes some doing.

So what does Brexit mean for these latest changes in data protection laws?

The new GDPR came into force on 24 May 2016, with a transition period of 2 years, meaning it takes full effect on 25 May 2018.  It will automatically take effect in all countries which are Member States of the EU on that date.

The UK will still be a member state of the EU on 25 May 2018 so we must all comply with the GDPR at that time or risk being in breach. 

Then even after Brexit takes effect, the UK will need to adopt its own legislation in place of GDPR, but which will have to be broadly similar in effect.  Otherwise, there is every chance that the UK would not be regarded as a sufficiently compliant country with which the remaining European member states can safely transfer data and conduct business. 
The Information Commissioner, who leads the regulatory body governing data protection compliance in the UK, has made it very clear that her expectation is for the UK to adopt something very much aligned to GDPR for our post-Brexit approach to data protection.  Her argument being that anything less would hinder the UK’s international trade and global activities.  As a result, there is now less than 12 months to prepare for and adapt our approach to data in order to meet the more stringent regime of the GDPR. 

Announced in the Queen’s Speech in June 2017, the UK’s Data Protection Bill will essentially look to weave into the UK’s laws the EU’s GDPR in order to ensure a consistency of approach for UK organisations and businesses and enable our continued global trade as smoothly as possible.

If you’d like some assistance in considering the steps your business should be taking to review its data and its compliance strategy in this space, please contact a member of our Commercial team.

© Shulmans LLP 2017

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. Shulmans LLP is not responsible for any activity undertaken based on this information.