What does BREXIT mean for data protection?

On 23 June 2016, the UK is holding a referendum as to whether to stay in the European Union or leave it.  But what does a BREXIT (a British Exit from the EU) mean for data protection?

 Most of the UK law on data protection comes from the EU.  The UK Data Protection Act 1998 and the Privacy and Electronic Communications Regulations both implement overarching EU law.  So you might think this is like “unplugging” the source of data privacy law and therefore switching it off?  But UK data protection law, in fact, pre-dates the European data protection directives.  In fact, the UK was a signatory to the 1981 Convention (the forerunner of modern data protection law).  Enough history!

 What could happen in theory?

The UK parliament could reduce (or repeal) the Data Protection Act.  The Courts could decide to no longer follow EU case law.  Most importantly, the UK could choose not to implement the General Data Protection Regulation (GDPR).  This, as we all know, is a wholesale upgrade to EU data protection law.  GDPR includes new penalties of up to 4% of worldwide turnover, new legal duties to notify of data breaches and requirements to implement an accountability framework of policies and procedures.

What will happen in practice?

The UK could leave the EU and join the European Economic Area.  In this case, it would be legally obliged to maintain data protection law on an equivalent footing to the EU. So all the current law would stay.  GDPR would also be a requirement.

Theoretically, the UK could go out on its own.  However this would make it a non-adequate jurisdiction for international data transfers. This means it cannot receive personal data freely from the EU.  It could ask the EU for an “adequacy decision” but its anyone’s guess as to how long that would take.  It could be a difficult negotiation (…think about the recent story of Snowden, Schrems and the proposed Privacy Shield, which is still being worked on).

No doubt there would be huge pressure on the UK to fall into line (dare I say it) with EU-style data protection law anyway.  Otherwise, this could be a significant drag on international trade. 

Finally, there is the practical argument that we actually need data protection law to underpin consumer trust in the digital economy.  So let’s not trash it.

For what it’s worth, the ICO say that the UK needs clear and effective data protection law regardless of whether it remains in the EU. They don’t expect to be packing their bags.

Whatever the uncertainty on a possible UK exit, the issue will, at least, be resolved in a little over 7 days