On June 23, 2016, the United Kingdom voted to leave the European Union in the so-called “Brexit” referendum. This article analyses GDPR and Brexit and more specifically what would be the next steps to enforce the new Data Protection Regulation. The European Union Referendum Act provides no further steps in the process apart from Withdrawal Bill implemented by the Prime Minister to notify the EU of the UK’s departure. The notification was sent on March 29, 2017, giving the UK 2 years to negotiate new trade deal and partnership under the Article 50 of the Treaty on European Union unless a consensus is reached between the parties to extend this period.
GDPR and Brexit
One of the main aspects of concern is the UK legal structure after Brexit, especially for data and privacy protection. The UK government has acknowledged that it would be still part of the EU when the GDPR came into immediate effect on 25 May 2018. Furthermore, the government stated its position that it wants to modernise the data protection mechanisms mainly because it wants to modernise its approach towards technology and replace the outdated Data Protection Act (1998). The UK has stated that it will enforce GDPR and Brexit would not affect that decision. On August 7, 2017, the Department of Digital, Culture, Media and Sport published a detailed report in which it outlined the intent policies and objectives behind the proposed Data Protection Bill, which was introduced in Parliament. The Bill currently is being voted and making it’s through House of Lords and Commons. In our discussion we provide we analyse the key differences between the Bill and GDPR and the characteristics of GDPR and the EU Directive on General Data Protection.
GDPR and Brexit: What Businesses Need to Know
If the Bill is implemented in the current variation, is success and efficiency will be determined by its post-Brexit state. Once UK left the EU, it will become a third-party for purposes of the EU law. As such, additional mechanisms must be implemented to ensure a successful working relationship with the EU and more specifically, successful adoption of legislation regarding data handling, protection and privacy. In the post-Brexit period, the UK will be subject to article 45 of the GDPR stating that data transfers will be only permissible if the UK and other third-party countries ensure a high standard of data protection. The EU commision could also reach an explicit agreement with the UK permitting bilateral data transfers of personal information.
However, if the UK is unable to obtain this designation, then by Article 46 of the GDPR, cross-border data transfers could still take place if the recipient outside of the EU puts appropriate safeguards in place, which include standard contract clauses or binding corporate rules. These alternative measures would involve added costs and red tape for businesses. For purposes of legal certainty and as the most reliable guarantee of the free flow of data, an EU Commission adequacy decision would be the preferred approach.
Regarding the United States, post-Brexit, the transfer of data will no longer be governed by either
(i) the EU-U.S. Privacy Shield, which establishes the legal framework to which transatlantic transfers of data may take place for commercial purposes between the EU and the United States, or
(ii) the EU-U.S. Umbrella Agreement, which established a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.
Consequently, the UK will be able to choose own mechanisms and regulations to which it wishes to proceed with the United States. However, given the consensus that the UK is unlikely to diverge from the GDPR, it would be able to adopt its own equivalence decision concerning the United States and its privacy shield. This would mirror the approach taken by Switzerland and recently advocated by the European Union Committee of the UK House of Lords. Not only does Switzerland have an adequacy finding by the Commission, but it also has in place a Privacy Shield Agreement with the United States identical to the EU-U.S. agreement.
Current Legal Framework
Data privacy has been a significant concern for EU lawmakers since the yearly 1990’s which is adopted by the EU human rights treaties. The first significant legal framework for data privacy was ratified in 1995 with the European Data Privacy Directive (1995) which was enforced by the Member States. Later in 1998 the Directive was followed by the Data Protection Act (1998) in the UK and remained unchanged until GDPR came into effect.
Find out more about how GDPR Regulation Forces Facebook Policy Changes
Data Protection under GDPR and Brexit
In April 2016, the EU stated that it plans to adopt General Data Protection Regulation (GDPR) that will replace the 1995 Directive and has to enforced by all 28 Members States on May 25, 2018. GDPR marks the most significant legal framework in more than 20 years and will modernise the way how companies handle personal information. Since the UK is still a member of the EU, the GDPR will become part of the UK law. Under the proposed EU Withdrawal Bill, GDPR would remain a UK law after Brexit but it could be amended or modified thereafter. Additionally, the EU developed the Data Protection Law Enforcement Directive according to the processing of individual information for criminal law enforcement tasks. The Data Protection Law Enforcement Directive also took effect on 25th May along with GDPR in all Members States. Considering that the latter law is a directive, countries will have own implementation of it into national law. The UK must follow the same steps as other Members States as GDPR and Brexit will have no immediate connection.
Key Takeaways from the GDPR and Brexit
- Extends individual’s right on personal data contained in the UK Data Protection Act 1998
- Allow individuals to request changes to companies and even delete their personal data
- Require parents and guardians to consent on behalf of children under 13 years
- Increase fines up to €20 million or 4% of a company’s global turnover (whichever is higher)
- Require methods in-place for individuals to withdraw over personal data handling
- Provide individuals with immediate access to their personal data held by any organisation
- Require unambiguous consent for processing personal data
- Explicit consent with respect to processing an individual’s sensitive data
GDPR and DPA
GDPR does not seek to replace the Data Protection Act (1998) rather than enhance individual’s rights and the rules already in place to reflect the changing nature of the digital economy. GDPR now requires to appoint Data Protection Officer in companies with more than 250 employees or handling sensitive information. The substantial increase in the fines is another key difference. Part 2 of the Bill supplements the GDPR and applies broadly similar procedures to certain types of data processing to which GDPR is not applicable. Some fundamental similarities and differences are further discussed.
To sum up, the fact that the UK government is ready to implement GDPR and other improvements towards Data Protection despite Brexit is a positive sign and should be welcomed in the digitalisation era. This fundamental shift is necessary as the on-going technological development changes how personal data is protected and impacts not only personal rights but also how digital economy mechanisms work together. However, the Bill is just a step closer to filling in some serious gaps in the UK’s relations with the United States and the EU.
The introduction of GDPR represents one of the most significant shifts in data privacy standards in more than 20 years. Organisations not based in the EU but processing EU citizens’ information should also take measures in implementing GDPR. UK-based organisations should also take into account also the complexities that are added by Brexit but the best way to think of it just now is that GDPR and Brexit will go hand-in-hand with no immediate ramifications.
Get GDPR Ready with Apex
- City & Guilds Accredited eLearning
- Updated content
- Develops Data Safety knowledge
- Instantly available course
- Completed in 60 minutes
- Subject Access Request game
- Interviews with legal experts
- Interactive content
- Certificate for your CV