I was asked again this morning does Brexit mean we won’t have to comply with the forthcoming General Data Protection Regulation (or any other EU laws for that matter).

This is a fairly complex area and soundbites don’t do it justice. However, recognising the demand for a (reasonably) quick answer here are a few outcomes to consider:

UK votes to remain by a wide margin

No change and we continue to abide by EU laws (including GDPR) as before but the referendum has ruffled enough feathers in the EU that law making might change.

UK votes to remain by a narrow margin

Again no change for now (that is, we continue to abide by EU laws) but the answer is hardly definitive for either side, so the issue may come back on the agenda in the near future.

UK votes to leave by a narrow margin

The UK government might decide that the answer isn’t a definitive vote to leave and therefore we stay put for the time being and continue to abide by the legislative framework.

UK votes to leave by a wide margin

This is where the fun begins and what happens next depends upon what exit deal we negotiate. Don’t forget, the exit process will take two years but that doesn’t run until the UK government gives formal notice. It might want to negotiate the divorce settlement first before it goes through the divorce itself. Here are few scenarios:

1. We negotiate to stay inside EEA – like Norway we still abide by the majority of EU laws. That’s the price of the Single Market.
2. We negotiate to join EFTA – we may gain control of data protection laws but, like Switzerland, if we want to trade with EU companies which involves a transfer of data, we will have to pass or maintain laws akin to the GDPR and get added to the EU Commission’s safe list
3. We abandon the Single Market and opt for what some Brexiteers have called the “Canada option” – that is, we negotiate our own trade deal with the EU. Ignoring the fact that it took a number of years for the EU & Canada to negotiate that deal, it is worth remembering that Canada too is on the EU Commission’s data protection safe list as it maintains adequate data protection laws. So that also means abiding by GDPR.
4. We abandon the Single Market and drop data protection legislation – presumably this “cutting of red tape” means we won’t protect UK citizens’ data to the same standards as GDPR. However, for our dealings in respect of EU citizens’ data we will still have to abide by  EU data protection standards under GDPR. That would be an odd two-tier system protecting UK citizens’ data to a lower standard than EU citizens. We would also have to go through a Privacy Shield style negotiation. It would be interesting to see if GCHQ snooping under our Investigatory Powers Acts will prolong those negotiations like NSA snooping has for the USA…

Happy voting!

PS

If you’re interested, here’s an article that The Channel published at the end of March about Brexit.

If you’re interested in my interview with the German lawyer about German data protection laws, that’s here.