The General Data Protection Regulation (the GDPR) will come into force across the European Union on 25 May 2018. The European Commission is introducing this regulation in a bid to protect citizens of the EU from 'the processing of personal data and…the free movement of such data'. The UK has now voted to leave the EU, or 'Brexit'. So what does Brexit mean for the UK in terms of data protection?
The GDPR will be directly applicable in all 28 member states of the EU. Its headline act is the introduction of new levels of fines for the export of personal data outside the EU - whichever is higher of 4% of global turnover and €20million – the sort of level only previously seen in antitrust and cartel cases. This penalty will extend to data controllers whose activities take place outside of the EU where their processing relates to the offer of goods or services to data subjects in the EU.
It seems that the Brexit vote will be followed by a two-year reversal out of the EU. So, depending on how the exit negotiations proceed, it is possible that on 25 May 2018 the GDPR would take effect in the UK, and the UK would complete its exit a month or so later. In that scenario, the GDPR would arguably need to be repealed in the UK. More likely, in the 23 months following the formal notification to the EU of the Brexit vote, the GDPR, along with all other EU Regulations, would need to be specifically adopted or repealed by the UK Parliament.
As is currently the case - and will remain the case under the new regulation - data controllers wishing to transfer personal data outside of the EU may only do so if they satisfy one of the permitted gateways. In most cases, they are only allowed to do so if the country where the recipient of the data is located is regarded as a 'safe third country' by the European Commission.
This leads to a rather important question: after Brexit, would the UK be classified as a 'safe third country' by the Commission, so as to allow personal data to be transmitted from within the EU to the UK? If it is not, UK companies doing business in the EU would need to re-think their data protection compliance strategy. Data processors based in the UK, who do not currently require legal justification for the transfer, could find themselves requiring a justification after Brexit. Lacking justification, companies that base different aspects of their business within the remaining EU and the Brexit-ed UK might need to change their data plans.
The reality is that we don’t know what the UK's post-Brexit relationship with the EU will look like, but it is expected that the UK would want to adopt a rulebook that does not interfere adversely with data flows from the EU. Too much of the UK's business relies on that freedom of movement.
One potential outcome would be the so-called Norwegian option. Norway is a member of the European Free Trade Association (EFTA) and the European Economic Area (the EEA). The EEA has, at its core, the four fundamental freedoms of the EU treaty – freedom of movement of goods, services, capital and people. The upshot here is that the GDPR would be directly applicable in the UK, as it is a 'freedom' regulation.
The opposite outcome would be a World Trade Organisation solution – applicable in the event that the UK leaves the EU and is unable to - or does not seek to - agree a free trade agreement with the EU. If that were to happen, the GDPR would have no direct effect on UK law as such. For data to flow into the UK from the EU, either the EU Commission would need to designate the UK as a 'safe third country', or the UK would need to enter into a discrete arrangement, as the EU and USA are currently seeking to agree around the 'privacy shield'.
Our expectation is that, in line with the government's general outlook, the UK may not want to adopt the whole of the GDPR – some of the provisions around consent, for example, might be seen as too onerous and 'anti-business'. But, as noted, the GDPR has a certain extraterritoriality aspect: UK businesses, operating in a Brexit-ed UK, offering goods or services to consumers inside a post-Brexit EU, would be subject to the GDPR, whether the UK adopts it or not.
If you have any questions arising from this, please contact Adam Rose; 020 3321 7197