The future of UK data protection law post-Brexit

And so it has finally happened: on Wednesday this week, British diplomat Sir Tim Barrow handed in Prime Minister Theresa May's formal "Article 50" letter to Donald Tusk, President of the European Council. The question now is, what does Brexit mean for the future of UK data protection law?

And so it has finally happened: on Wednesday this week, British diplomat Sir Tim Barrow handed in Prime Minister Theresa May's formal "Article 50" letter to Donald Tusk, President of the European Council.  In doing so, the UK formally signalled its intention to leave the European Union, starting a two-year process of intensive negotiations that will see it both extricate itself from, and determine its future relationship with, the European Union. 

There will of course be many important political, legislative, and economic developments throughout the course of these negotiations, but for the privacy professionals among us the big question is: "What does this mean for UK data protection law?"  Details are still sketchy at present, but here's what we can tell you:

1. The GDPR will come into effect before the UK leaves the European Union.  The UK's negotiations with the European Union will last at least two years, taking them through to March 2019.  In the meantime, Europe's General Data Protection Regulation (not to mention the Network and Information Security Directive and, possibly, the e-Privacy Regulation) will come into effect in May 2018.  This means that the GDPR will become "the law of the land" in the UK in just the same way as it will in every other country around Europe next year.  Rest assured: all those GDPR preparations you've been doing (or should have been doing) won't be in vain!

2. The UK will still have GDPR-like rules after it leaves the European Union.  The UK government has signalled that, in order to provide continuing legal certainty for citizens and businesses, all existing European law will essentially be "copied and pasted" into UK law in time by the time the UK leaves the EU.  The legal mechanic by which this will happen is the so-called Great Repeal Bill.  The Bill will repeal the European Communities Act 1972 (which currently gives effect to EU law in the UK, and makes EU law supreme over UK law) and will covert all existing EU law into UK law.  In effect, this means that the General Data Protection Regulation will probably be ported into UK law and end up being called something like the UK General Data Protection Act.

3. It's not quite as simple as that though.  The detailed-oriented among you may be thinking "It can't be as straightforward as cutting and pasting, can it?  What about all those references to European institutions and administrative processes in the GDPR?!"  If you are, then you'd be right.  That’s why the Great Repeal Bill also aims to give the UK government the power to adopt secondary legislation (i.e. laws that are aren't subject to full Parliamentary scrutiny and so are more quickly and easily adopted) that will 'tweak' the converted EU laws in a way that ensures they will have meaning in the UK.  For example, secondary legislation may be adopted that amends the new UK General Data Protection Act so that, rather than saying, "you mustn't export data outside of the EEA without appropriate safeguards", it says "you mustn't export data outside of the UK without appropriate safeguards".  The detail of this, of course, has yet to be worked out.

4. If you're a UK business, you'll most likely need to comply with both UK and EU data protection law.  If you're a business operating in the UK, you will of course have to comply with the new UK General Data Protection Act (or whatever it ends up being called).  However, if you are providing goods and services into Europe, or otherwise monitoring the behaviour of European citizens, you will also have to comply with the EU General Data Protection Regulation.  Actually, the reverse is also true for European companies selling into the UK.  Given that the GDPR should be mostly "cut and pasted" into UK law by the Great Repeal Bill, you'd hope they would be mostly aligned and harmonised – but as wizened data protection professionals will know, you only need the slightest differences (and, let's face it, there will be plenty!) in order for cross-border data protection complexity to arise.

5. The UK will be an adequate country to receive data from the EU… we hope.  One obvious goal in essentially importing the GDPR in the UK law via the Great Repeal Bill is to have the UK declared an 'adequate' country under EU law – meaning it can freely send and receive data back and forth with the EU, without the need for multitudinous data export agreements.  Clearly importing the GDPR into UK law bodes well for UK adequacy; however, other UK laws (like the controversial Investigatory Powers Act), combined with political concerns that the UK might be 'penalised' by the EU for its decision to leave, mean UK adequacy is far from guaranteed.  Privacy professionals will be watching anxiously to see if this is negotiated and resolved as part of the Article 50 withdrawal process.

6. The Right to Be Forgotten and other EU case law will still have precedence in the UK – for the time being.  Finally, as well as porting existing EU legislation into UK law, the Great Repeal Bill will also provide for UK courts to refer to EU court rulings when interpreting the UK's EU-derived laws.  In effect, the Bill proposes that existing case law from the Court of Justice of the European Union (CJEU) will have the same binding status as UK Supreme Court rulings, and expects that the Supreme Court will only ever depart from CJEU precedent in very rare cases.  This means that all of those EU data protection cases that we know and love, from the Costeja Right to be Forgotten case through to Schrems, Weltimmo, Lindqvist and others will continue to have precedence in the UK.

This is what we know for now.  The clear intention of the Great Repeal Bill is to reassure businesses that, post-Brexit, they can "keep calm and carry on", in the very best of British traditions.  There is still a lot of detail to be worked out, however, and privacy professionals will now be watching two countdown clocks – one for the date when the GDPR takes effect, and one for the date when Brexit finally happens.  We'll keep reporting as and when important key developments happen.