Somebody asked me again the other day what happens to personal data after Brexit? I talked about this in December 2016. A lot has happened since then so what’s changed?
Well, GDPR has become enforceable of course and the new Data Protection Act 2018 has been passed. So the new standards have come into force before Brexit, as predicted. Brexit hasn’t killed GDPR compliance. At least not yet.
So what happens after Brexit? Unbelievably, we still don’t know what form Brexit will take. This blog is not the place for a critique of the Brexit negotiations – there are plenty of others doing a better job than I can. Brexit boils down to “soft” and “hard”.
If it’s a “soft Brexit” this means we might remain in the Single Market, the EEA or some other customs union. Certainly, in the short term, we are likely to have a transition period where we are out of the EU but still bound by EU rules. We will have to abide by rules we can’t change. So much for Brexit restoring the UK’s “lost” sovereignty. At least it would address the issue of the border between Northern Ireland and the Republic of Ireland.
In that case, we will still be part of fortress data Europe, GDPR will still apply in the UK and data transfers can continue as at present.
There is much talk currently of a “No Deal” Brexit as those pesky EU negotiators won’t give the UK all the benefits of EU-membership without any of the costs or obligations that go with it. Of course, this is a “hard” Brexit where we will probably revert to WTO rules until we can get round to negotiating a bespoke deal with the EU. In this scenario, we will leave the EEA to become a “third country”.
The stated intention of the government and the ICO is to comply with GDPR post-Brexit so we will aim for a decision of adequacy by the EU Commission that our laws are equivalent to GDPR. Given the Data Protection Act 2018 incorporates GDPR wholesale, this shouldn’t be difficult, at least in theory. Attempts to have special treatment and get this decision have so far failed. A decision might take a while; a couple of years some commentators say. And don’t forget the Regulation of Investigatory Powers Act, aka the Snooper’s Charter, which grants broad powers to governmental agencies to gain access to personal data. This might cause difficulties just like for the US with its USA Patriot Act, the US Foreign Intelligence Surveillance Court and their recent Cloud Act. In that case, we may have to negotiate our own version of the Privacy Shield (and run the gauntlet of the legal challenges that come with it). In the meantime, data transfers will be all about using the model clauses. If the UK data controllers and processors are complying with GDPR anyway – meaning it’s just the UK government which isn’t with its overly broad snooping – then transfers should be able to continue.
One final thought on Brexit, whether hard or soft. One of the complaints of Brexiteers is that we have to comply with CJEU decisions and therefore Brexit must stop this happening. This will lead to the curious position of complying with GDPR – EU legislation – but not the decisions of the ultimate EU court, the CJEU, on GDPR which will affect the remaining 27 EU member states. Naturally, the UK Supreme Court can refuse to apply a CJEU decision where the facts are different. But where the facts are very similar? I don’t think that’s likely.
So much for Brexit restoring the UK’s “lost” sovereignty. Wait, I said that already.
So, not much has changed since my last post. As Brexit is due to happen in March 2019, we should know more soon…
UPDATE: if you want to know how Brexit will affect your contracts, click here: What does Brexit mean for my contracts?