Brexit and data protection: A period of shock and reflection
Let's all take a moment to catch our breath
BREXIT What price the UK's secession from the European Union? “It's far too soon to tell,” has been the sober and much-repeated line of legal and privacy professionals following the United Kingdom's referendum which voiced public opinion to leave the European Union.
Speaking to The Register this morning Andrew Joint, commercial technology partner at Kemp Little explained that while questions were already arising in the areas of contractual legislation, and those affecting employment, data, and financial law – as well as intellectual property regulations – the nature of Brexit's impact could not be predicted.
“This is a period of shock and reflection,” Joint said.
Mark Williamson, a partner at Clyde & Co, was not so hesitant, stating that the vote “will fundamentally change the way in which personal data is used and moved across Europe”.
It won't at the moment, however. As of today the UK is still part of the EU and is still fully compliant, as a jurisdiction, with the Union's requirements on data sharing. If and when the UK decides to invoke the Article 50 notification, which imposes an obligation for the EU to negotiate the UK's departure – and which prominent leaver Boris Johnson has said there isn't a need to invoke – then the nation will have two years to leave.
Before we leave, however, we remain part of the EU and the General Data Protection Regulations, which are due to come into force in the UK in 2018, will still be law here if we haven't completed our departure from the EU by then.
As the Information Commissioner's Office (ICO) patiently attempted to explain today: “The Data Protection Act remains the law of the land irrespective of the referendum result.”
If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove "adequacy" - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.
With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case.
Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.
Meanwhile, another partner at Clyde & Co, David Wilkinson, stated that “Over the last 40 years IP laws in the UK have been harmonised with the rest of the EU, with the EU Court of Justice as the final authority on how those laws should be interpreted. So what now? As with most things Brexit, no one knows for sure.”
More helpfully, Simon Colvin, the head of Pinsent Mason's technology, media and telecoms practice, told the The Register that the referendum result was “a shock, but not doom and gloom. We don't need to panic.”
Meanwhile the political risk is that the EU will not want to set a good precedent for those wishing to secede, and “will not be making the dis[en]tanglement very easy – they will be doing what they can to make sure this doesn't start a domino effect,” Colvin said that the UK is in a good position.
The EU is a major trading partner and thus there will be certain compliance requirements, but “having been pat of the EU we're obviously fully compliant, we've got the right safeguards in,” which is starkly different to states attempting to affiliate, where when it comes to approaches for trade-agreements with members, are viewed as non-compliant entities.
The GDPR is “a big step change for all of our clients, whether customers or suppliers,” Colvin told us, but most will have had plans for compliance in motion already. “We're trading with the EU. We need to make sure we're a partner with whom entities in the EU still want to trade with,” added Colvin, but now we're a little more free in our engagements with non-EU entities – if we want to be.
We might have more latitude with how we trade outside of the EU overseas, but with data and privacy being so important, is the EU not setting a sensibly high benchmark for the future here? Would we not still take a sensibly high benchmark with those we're trading with outside of the EU?
Jim Killock, the Executive Director of Open Rights Group, told The Register: “We don’t yet know what approach the UK government want to take with Europe.”
Much again depends on the political leadership of the future, with Prime Minister David Cameron, who campaigned for remain, announcing his resignation today. Among fellow remainers tipped to succeed him is Theresa May, who suggested ridding the nation of the European Convention on Human Rights, rather than the European Union's own human rights legislation - though it looks possible that we may soon be without both.
“The UK needs to be cool-headed, remember its legal obligations to implement EU law until it leaves, and try to keep [its] options open in the meantime. They should be careful not to create a constitutional crisis by unilaterally dis-applying any part of the EU’s legal framework,” Killock added. “The UK’s growing digital economy is closely tied to the EU single market, so the UK should be careful to consider the benefits of keeping consistent laws in place.” ®