Having spent several years negotiating the new EU General Data Protection Regulation (GDPR), could it be that if the UK votes for Brexit on 23 June 2016 we will no longer need to be troubled with this mammoth piece of new legislation?
The GDPR will come into force across the EU on 25 May 2018. It represents a major upgrade to Data Protection laws, which are woefully out of date for the digital connected world. While 2018 is a little time away, because of the substantive changes involved, businesses are starting now to consider what they need to do to make sure that they are compliant by 2018 at the latest.
So, the question is, if the UK is no longer a member of the EU, will the GDPR still be relevant? In brief, the answer is YES.
First, from a timing viewpoint, while a vote for Brexit may be passed in June 2016, the UK’s actual exit from the EU will take place at least two years later. This means that the UK will still actually be a member of the EU, although under notice of leaving, when the GDPR comes into force in May 2018.
While this first point may be short-lived, as the ICO has stated, “the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU”. Having been part of the lengthy process of negotiating the GDPR, it is highly unlikely that the UK would do a u-turn on their implementation. While there may be some who will argue that the UK could benefit from not being weighed down by this somewhat bloated and bureaucratic Regulation, and could opt for something more streamlined and flexible, there is unlikely to be much appetite to change things materially.
Furthermore, for the UK to trade with the EU, it will be essential for the UK to be regarded as a safe harbor to receive personal data from the EU. This in turns depends on the data protection laws of the UK being in line with those in the EU. This is ironic given that the EU Data Protection Directive of 1995 was based in large measure on the original UK Data Protection Act of 1984.
Following a Brexit, the UK would be in the somewhat awkward position of having to ask the EU to make a formal ruling that the UK has “an adequate level of protection for personal data”. Such a ruling has been made in relation to countries such as Switzerland, Canada, New Zealand etc and would be required to enable EU-based businesses to transfer personal data to the UK, and to give confidence to EU-based consumers transacting with UK businesses.
While there are many unknowns about Brexit, not least (at the time of writing) whether we are in or out, since May 2016 when the GDPR was approved, the future as regards Data Protection laws looks pretty clear.