How will Brexit, in whatever form it takes, affect data protection law in the UK?
There are a number of alternative options for the UK’s exit as a whole, depending on the outcome of the negotiations, and we don’t yet know when we’ll have certainty on this question. The main options being discussed are as follows:
- We stay in the European Union (EU). Until Article 50 of the Lisbon Treaty is triggered, there remains the possibility that the UK will not, in fact, leave the EU at all.
- We leave the EU, but stay in the European Economic Area (EEA). The EEA is a separate treaty agreement between all the members of the EU plus Iceland, Liechtenstein and Norway. The EEA Agreement requires EEA states to incorporate EU legislation covering the four freedoms (free movement of goods, services, persons and capital) into their domestic law.
- We leave the EU and the EEA. In terms of trade arrangements, the options here include joining the European Free Trade Area (EFTA) (the Swiss model), negotiating individual trade terms with the EU (the Canadian model), or falling back on World Trade Organisation trade terms.
Whatever the outcome, there is no doubt that businesses should keep preparing for the General Data Protection Regulation (GDPR). The GDPR will continue to apply across the remainder of the EU, and so any organisations operating across the continent will still need to comply. Moreover, any UK businesses which process data about EU nationals (whether as a controller or a processor) will be subject to the GDPR as an overseas controller, in the same way many US companies will be.
The GDPR becomes applicable across the EU on 25 May 2018, which is several months before the earliest that the UK’s exit negotiations could be completed – even if Article 50 was triggered tomorrow. In view of this, and the concerns around data transfers, it is highly likely that any UK Act of Parliament concerning data protection would be very similar to the GDPR.
The table below (see link) explores what each of the options above mean in respect of data protection.
Download PDF/Print version here.