Citizens of the United Kingdom caught Brexit fever last month and voted to leave the European Union. The historic referendum on the UK’s membership in the EU took place on June 23rd, 2016 when the citizens decided it was time to stand alone, leaving the comforts of the union behind them.
It’s still too early to know all the ramifications of Brexit, but it is important to understand how the move can change data protection and what that means for the data industry.
Brexit’s Impact on Data Protection Laws
The implementation of the GDPR (General Data Protection Regulation) process and the Brexit process will run somewhat simultaneously. As a result, the EU/UK may take steps to not apply the GDPR in the UK and preserve the application of the DPA (Data Protection Acts) instead, at least until the UK decides whether it’s beneficial to introduce new regulations or not.
Below you’ll find some of the main issues surrounding data protection:
Different data protection regimes in the UK and EU
To this day, the UK has applied a relatively business-friendly data protection regime and, in keeping with this, maybe choose to not reproduce the more onerous requirements of the GDPR (if approved) and may opt instead to retain a similar model to the one currently in place under the DPA.
Choosing to maintain something similar to DPA would limit the regulatory burden on UK businesses more so than under GDPR, and could create competitive advantages for UK businesses in non-European operations. However, eschewing GDPR would cause the UK to lose the “one-stop shop” advantage due to the difficulty for businesses to comply with both sets of laws, which would leave them exposed to a double set of sanctions for non-compliance.
Cross-border data flows
For the UK to trade with the single market on equivalent terms, its data protection laws should be improved. This implies UK data protection standards would need to be similar to GDPR. Now that the UK is no longer a part of the European Economic Area (EEA), the EU safe zone for personal data and personal data transfer no more keeps the UK safe. Along these lines, data protection laws should be more advanced than the current DPA to keep up with GDPR. The UK will most likely try to become an EU Commission-approved whitelisted nation deemed to give safeguards for data. This should be done quicker and more effortlessly if the UK’s data protection standards kept up with the rest of the EU.
If the UK is no longer part of the EU it may take some time before it becomes an “adequate jurisdiction” for businesses transferring data; businesses would therefore need to consider what alternatives could be implemented to ensure adequate protection for data being transferred from the EU to the UK. There are several options available, such as the use of Commission-approved model clauses, implementing Binding Corporate Rules, or using a consent-based model.
Overall, since the UK is still in the preliminary stages of separation from the UK it will most likely continue conducting business under the DPA. However, data protection regulations can change in either direction, with the UK loosening restrictions to gain an advantage in the world data markets or tightening them to comfort its European neighbors and maintain its one-stop data shop status. The pending approval of Privacy Shield will help shed light on this developing issue.