Big news! The Secretary of State Karen Bradley MP recently confirmed that the UK Government will be opting in to the General Data Protection Regulation (see Q72) and the Information Commissioner has said “I see this as good news for the UK…The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.”
Is this really news?
No. Let’s do a quick recap:
- Do EU Regulations come into force in member states automatically? Yes
- Really? Without the need for national implementation? Yes
- Will the UK still be part of the EU when GDPR comes into force? Yes
- Has the UK ever indicated it will stop complying with EU legislation before we leave the EU? No
- So GDPR will come into force in the UK before Brexit day? Yes
GDPR will be enforceable in the UK as expected. Article 99(2) GDPR says it “shall apply from 25 May 2018”. As we will still be part of the EU then, there is no “opting-in” (although we may “gold-plate” certain issues). Regulations aren’t “opt-in” – GDPR will apply directly in the UK without any further action. The current Data Protection Directive wasn’t really an “opt-in” choice either, it’s just that we had to introduce national legislation to implement it. Any inconsistency between the UK implementation (that is, the 1998 Data Protection Act) with the Directive can be challenged in the courts.
Look, the 1972 European Communities Act currently gives precedence to EU law. The Great Repeal Bill will, er, repeal this from Brexit day but not before. Also, to avoid having to rewrite large chunks of the statute book it will likely preserve most laws as they are at Brexit, including GDPR. I blogged about this before – I wasn’t crystal ball gazing; it’s just the most logical process. We need the crystal ball for what Brexit actually means though!
The ICO wants GDPR. In fact, it wants custodial sentences too for data breaches. We have a long history of data protection in the UK. We even helped draft the European Convention on Human Rights after WWII. It’s true May wants to annul that in the UK and write another one but you would have thought she has enough on her plate already.
Data protection might be addressed in the new Human Rights Act post Brexit day or the UK government might repeal it at some other point (again, after Brexit) but it’s unlikely we’ll drop the standard below GDPR. UK businesses would still have to handle EU data in compliance with GDPR but we could conceivably have a lower standard for non-EU data. However, ask any compliance officer if they want to adhere to two different standards…