Brexit and data protection - would it make a difference?
09 June 2016
The UK’s data protection legislation is currently derived from the EU’s 1995 Data Protection Directive (95/46/EC).
In May 2018, this will be replaced by the EU’s General Data Protection Regulation (GDPR) which will be directly applicable across the EU (together with a new Data Protection Directive for the police and criminal justice sector).The GDPR varies substantially from the current regime. Data processors as well as data controllers will have direct obligations. It has an expanded territorial reach, which clearly reflects the interplay between data protection, competition law and consumer protection laws in the EU. It also institutes a “one-stop-shop” system orchestrated by a lead data protection authority with a common set of rules and unprecedented higher fines of up to 4% of annual worldwide turnover for some infringements.
Both the existing rules and those coming into effect in 2018 might be criticised for setting up a system which focuses more on process than substance and creates a bureaucratic and document-heavy framework. A more positive view would be that the GDPR has the scope to further harmonise data protection rules across the EU and increase clarity and consistency.
If we leave the EU, can we escape some of the most onerous provisions of the GDPR?
GDPR applies even to businesses based outside the EU
In one respect the answer is simple, and negative. The GDPR applies to data controllers and processors based in the EU - but it equally applies to data controllers and processors based outside the EU whose processing activities relate to the offering of goods or services to individuals in the EU. So whether we leave the EU or not, the GDPR will bite on British businesses if they trade with individuals in the EU. For example, selling online products to someone in France via a UK website.
The international basis of data protection rules
In assessing the likely effect of a Brexit more generally, one needs to understand the background to the structure that has been developed for protection of personal data.
Our approach to data protection has its roots not in the EU but in a much broader international consensus. The OECD (whose membership includes most major economies) developed rules on the protection of privacy and transborder data flows in the late 1970s, culminating in its 1980 Guidelines. This was the first internationally agreed set of privacy principles. The Guidelines were followed by the Council of Europe, which in 1981 agreed a Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Council of Europe is an organisation with a significantly wider membership than the EU, including states such as Russia and Turkey.
The UK’s first data protection legislation was based on the Convention and was enacted in 1984, beating the EU to the statute book by over ten years. Only in 1995 did the EU finally create a directive requiring its members to legislate on data protection. When it did so, it tracked the Council of Europe Convention closely. Subsequently many nations have adopted a similar approach, either by national legislation or, within the Asia-Pacific region, through the APEC Privacy Framework.
This means that the EU’s data protection rules were initially a regional response to implementing a set of principles developed with a much wider international consensus. Leaving the EU will not leave the UK free to do whatever it wishes.
Trade with the EU - constraints on transfers
If the UK were to leave the EU, unless it were willing to isolate itself completely from the international community it would have no option but to apply data protection principles and rules which are substantially the same as those within the EU. This is because any trading relationship with EU countries will involve transfer of personal data between the EU and UK, and the GDPR would prohibit any transfer of personal data to a post-Brexit UK without appropriate safeguards compliant with EU rules.
Transfers could still take place if the European Commission were satisfied that the UK provided “adequate protection” and was willing to issue an “Adequacy Decision”. However, given that the EU Commission and the UK have had a fractious relationship on data protection issues because the UK was not deemed to have fully implemented the Directive, and the UK has been subject to regular threats of infringement proceedings over the years, this decision would not be a forgone conclusion. In considering whether protection was adequate, the Commission would be looking for protections similar to those applying in the EU.
If there was no Adequacy Decision by the Commission, the alternative is for “appropriate safeguards” to be put in place. These would include options such as binding corporate rules and standard data protection clauses. But both of these options would impose similar sorts of constraints to those applying within the EU. So, although the UK might be able to tweak current EU data protection rules, there would be no space for a substantial deviation.
If the UK were to decide to exit the EU and not to be part of the European Economic Area, and should the UK not be granted an Adequacy Decision by the Commission, data transfers from the EU to the UK would be made significantly more difficult and burdensome.
If there’s a problem – it’s not the EU
In summary, although the UK’s current data protection legislation must give effect to the existing EU directive and the forthcoming GDPR, it has deeper roots. If there is a problem with the EU data protection rules, it will not be solved by a Brexit - because leaving the EU will not affect substantially how businesses operating in the UK deal with data protection. Instead, leaving the EU may simply increase the burden and complexity cause by a national regime which would not be harmonised with the EU rules and so would be open to further regulatory and legal challenges.