GDPR One Year On: What about Brexit?

Back in April, the UK and the EU agreed to delay Brexit until 31st October 2019. Whilst the delay gives the UK government more time review its withdrawal strategy, businesses operating in the UK are faced with continued uncertainty about the impact of Brexit on their commercial activities generally, and not least in respect of their data processing practices.

Of course, in the short-term thanks to the Brexit delay, companies established in the UK or processing personal data there continue to fall under the GDPR, while the UK remains an EU Member State. It seems that there will also be a crossover in rules for some time after this, since politicians can create transitionary measures in the event that Brexit occurs on the basis of a “deal”.

The GDPR has extraterritorial effect so that non-EU companies with EU customers must conform to its standards. As the GDPR turned 1 year old on 25 May 2019, a lot has happened in the EU’s political landscape since then - not least as regards the UK’s ongoing relationship with the EU.

But what is the future of data protection for UK companies?

After - if! - the UK leaves the EU it might hope to join the likes of Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

Why?

These are the only countries which have been granted a ruling of adequacy by the European Commission for their levels of data protection, which means that the EU has established that the data protection regimes in these territories offer equivalent or "adequate” protection to the personal data of data subjects as is provided for within the EU.

Can the UK apply for an adequacy decision?

If the UK has to apply for an adequacy ruling in order to transfer data in and out of the EU, delays in a decision could put a stop to online airline bookings, credit card payments and other transactions where the parent company is based in the EU. 

The EU has essential levels of adequacy that countries must meet with their data protection regimes if they wish to transfer data to and from the European Economic Area or the EU. This is where the uncertainty lies: the UK might have to apply for an adequacy ruling which itself can take time, and these rulings do not happen straight away. If we’ve learned one lesson from Brexit, it’s that decisions hoped to be finalised in months can drag on for years. Another worrying factor is that these adequacy decisions can be revoked with little notice should the EU decide that rules are no longer up to scratch.

An adequacy decision opens up difficult areas on data protection, such as in national security arrangements, to scrutiny which the UK has until now avoided as a member state.

European Courts have disagreed with UK approaches to national security and data protection in significant court cases in the past, the most recent being when the Government Communications Headquarters’ mass surveillance programmes were found to be unlawful. 

Another sticking point may be how the UK currently derogates from the GDPR by allowing an exemption from data protection rights where effective immigration control could be prejudiced. Criticism has come from the EU around the implications for adequacy, worrying that the exemption threatens fundamental rights and fails to provide essentially equivalent standards.

With the GDPR allowing data protection authorities to fine companies up to 4% of global turnover should they continue to transfer data to a country without an adequacy ruling, the risk is clear.

What has the UK promised?

That being said, the UK has committed to maintaining GDPR standards post-Brexit. The Data Protection Act came into force in 2018 and complements the GDPR by matching its standards. Article 7 of the European Union (Withdrawal) Act 2018 promises that retained EU law like this will continue to be domestic law. Article 71 of the EU Draft Agreement on withdrawal sets out that any data processing carried out within the UK on subjects outside of the UK, which was subject to EU rules before Brexit, will continue to apply after Brexit.

These promised laws and the fact that the UK has proven its self to be one of the strongest data protection promoters globally will hopefully mean that the same high standards of protection will continue to apply. But remember- this is not the whole picture for data protection compliance, and when it comes to the protection of fundamental rights there are difficult questions to be addressed. 

The future for data protection in the UK

The law does its best to keep up with the speed at which technology develops but given innovative processes such as blockchains, artificial intelligence and cloud software, it is easy to get left behind.  Regardless of the future of data processing under the EU rules in the UK, the GDPR took 4 years of debate around laws which had not been updated for many years. The update changed the regulatory landscape for tech companies especially, where IT infrastructures have been increasingly shifting to the cloud, and businesses rely on other developing areas of technology such machine learning and text and data mining of information including personal data to really innovate. Regardless of Brexit, the UK’s commitment to innovation and technology will surely ensure that the UK remains a favorable environment for carrying out such activities, but ensuring that there is a high standard of data protection in order to remain relevant and competitive on a global scale, whether or not it remains a part of the EU.

A pragmatic approach

The optimistic and pragmatic view is that the UK and the EU will endeavour to build a working relationship, whatever the outcome of Brexit, and the EU will continue to adapt laws in a way that promotes innovation. It is the rational academics, the business community, lawyers, and practitioners of law that find solutions to these legal problems which politicians are then constrained to translate into laws.

For the UK, will 47 years of shared experience really evaporate? We hope not! Our main hope for the future of the GDPR is that no one becomes complacent, those who are making the rules and those who are following them. It is better to be prescriptive than reactive, and it is not worth waiting for a data scandal to realise that tight rules must be in place for all of our own protection.

If you have any questions or would like to review your own data practices in light of Brexit, please get in touch!

Article: Lily Morrison, Legal Consultant and Charlotte Gerrish, Founding Lawyer @ Gerrish Legal - May 2019.