One of the less publicised but nonetheless important aspects of Brexit is whether or not UK companies will be able to maintain a free flow of personal data between the United Kingdom and the European Union.
The forthcoming General Data Protection Regulation (GDPR) will have a significant effect on businesses that process personal data. Its extra-territorial effect means that it will apply to non-European businesses if they do business in Europe or monitor the activities of Europeans. The GDPR becomes directly applicable across all EU Member States from 25 May 2018, 10 months before the United Kingdom is expected to leave the European Union.
On 14 September 2017, the UK Government introduced an extensive Data Protection Bill that runs to over 200 pages and includes provisions dealing with the flow of personal data after Brexit.
The Bill seeks to do a number of key things, including: i) take advantage of provisions in the GDPR that permit more specific rules to be introduced in particular areas, most notably employment; ii) address certain processing that does not currently fall within EU law, for example, in relation to immigration and the intelligence services; iii) implement the EU Law Enforcement Directive; and iv) deal with Brexit. In relation to Brexit, the Bill suggests replacing references to European data protection authorities with references to the Information Commissioner’s Office (ICO), which is the UK data protection authority. In addition, it provides that the ICO will co-operate and conduct joint operations and joint enforcement with European data protection authorities, and “have regard” to decisions and advice from the European Data Protection Board (EDPB).
This last provision is particularly important. The EDPB will comprise representatives of each of the national data protection authorities in the European Union, and its function is to ensure consistent application of the GDPR, provide additional guidance reflecting best practice, and issue official opinions in relation to the GDPR. It is likely that, without the pragmatic voice of the ICO within its membership, the EDPB will provide ever-more data subjectfriendly recommendations and opinions. The key question currently relates to the extent to which the ICO will import that guidance into post-Brexit UK law.
In its policy paper The exchange and protection of personal data, the UK Government has stated that it hopes UK law will remain “adequate” so there can be a free flow of personal data between the European Union and the United Kingdom. In contrast, in its position paper on the Use of Data and Protection of Information Obtained or Processed before the withdrawal date, the European Union says it is concerned that UK law will not be adequate and, moreover, demands particular protection for EU data that remains in the United Kingdom after Brexit.
Until a concrete decision is in place, companies’ best course of action is to prepare for compliance with UK data protection law and the European GDPR if they have entities or customers in the European Union; and keep a close eye on the ICO’s adoption of EDPB opinions.
Gemma Cullen also contributed to this article