Public Sector Update - Data Protection
Friday, 19th May 2017
With the recent heightening of activity in British politics, the future of our data protection laws is looking uncertain. The imminent arrival of the General Data Protection Regulations (GDPR) raises a large amount of questions in relation to organisations' new responsibilities. The general election presents its own complications in respect of predicting what the future of the UK's data protection legislation will be.
Timing of Events
Timing will be key for organisations in understanding their data protection obligations. The GDPR will come into force prior to the UK's exit from the EU. It is a Regulation therefore it applies in its entirety across the European Union. This will result in at least 10 months in which the UK is still a member of the EU and subject to the GDPR.
The Rt Hon Karen Bradley MP – Secretary of State for DCMS:
“We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public”
Once the UK leaves the EU, it will not automatically terminate European legal restrictions contained within our national laws. Therefore, until the data protection legislation based on GDPR, is repealed, or even amended, it will continue to be binding law. In addition to this, the UK will cease to belong to the EU "safe-data" zone. This could result in the flow of data between the UK and EU countries being hampered.
In order to prevent this, there are several options available to us. It will be down to the government of the day to select which of these it feels is most appropriate. Therefore the outcome of the general election shall have a direct impact on the way our data protection legislation is reformed and shaped. This will also be impacted by the trade model that is negotiated post-Brexit.
Should the UK decide as part of its exit plan to joining the EEA (by joining EFTA) the free-flowing transfer of personal data to and from EU member states will be maintained. However, the UK would then be required to adopt the more onerous standards of the GDPR and would also need to pay contributions to the EU without receiving the benefits of full membership. This is likely to be an unattractive prospect for whichever government is formed after 8 June.
As part of its exit negotiations the UK could try and incorporate the provision of an accelerated Adequacy Decision. An Adequacy Decision would ensure the continuation of free flow of data between the UK and the EU and would assist in creating as little disruption as possible to organisations' current data storage arrangements.
However, the precedent for these suggests that the process would be time-consuming and could last months or years. This makes the prospect of achieving an Adequacy Decision prior to the UK's exit from the EU fairly unlikely. This is compounded by the possibility of a liberalisation of UK national data protection law in respect of data exports resulting in difficulties in meeting the Adequacy Decision requirements.
Bilateral Data Pact
The UK could attempt to negotiate a bilateral data pact with the EU - this would mean drawing up a free-standing agreement in relation to data. It would act as the UK "Privacy Shield" and would allow UK organisations to confirm (voluntarily) that they complied with the enhanced EU data protection requirements. This would ensure the maintenance of the free-flowing movement of data. As with an Adequacy Decision, this would take some time to negotiate and agree and in the meantime the advent of the GDPR draws closer.
It is inevitable that the GDPR will apply, regardless of the outcome of various political uncertainties between now and 25 May 2018. Organisations will need to ensure that they are prepared to be compliant with the higher standards imposed by this Regulation. The options for the UK post Brexit do not detract from the fact that organisations rely on the transfer of data to and from the EU in order to carry out their day to day activities. Therefore, whichever solution is reached, it is highly unlikely that the laws implemented will stray too far from the principles imposed by the GDPR. The Information Commissioner's Office has made it very clear that the GDPR will apply from 2018 - Elizabeth Denham – Information Commissioner: “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018. We’ll be working with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate”