The decision made by the British people in the 23 June 2016 referendum has multiple consequences, many of them legal. Some have already been addressed, but the issue of what Brexit could mean for European citizens’ privacy and data protection rights has been pushed to the background.
The regulatory framework for data protection in the European Union conferred total freedom of circulation on data within the 28 Member States. The United Kingdom’s exit from the EU, and consequently from that legislative environment, will therefore mean that its citizens will be considered as established in a third country, and issues such as those currently existing with the United States will have to be contended with. Basically, sending data from any EU country to the UK will constitute an international data transfer, with the legal effects that this entails.
Obviously, given the importance of massive data processing for a company from any sector, the UK is not going to remain aloof from its former fellow Member States, since not interacting with the EU in this field would leave it out of the game in a sphere that is vitally important for the economy.
This situation obviously gives rise to uncertainty -which will have to be cleared up by the British government in the coming months- concerning the decision to be made on the subject of data protection in the island State.
It is first of all necessary to understand the UK’s legislative situation regarding this subject. The law currently applicable to national data protection is the UK Data Protection Act of 1998, a product of the transposition of the 1995 EU Data Protection Directive establishing the fundamental concepts and principles underlying European data protection laws throughout Europe. The UK Electronic Communications Act is also significant and regulates electronic signature-related issues stemming from the 1999 Directive and electronic communications and transactions, and is supported by the texts transposing the 2000 E-Commerce Directive. The current regulatory framework is therefore not so far removed from the one existing in the other 27 countries thanks to the transposition of several directives.
At first glance, the foreseeable reaction is that the UK will be considered as a country with a secure data protection level, and maintaining the status quo should not be overly problematic, given that UK laws have been adapted to European legislation and are very close to those of the other 27 States. This obviously depends on a number of factors. First of all, the British government is changing, and we do not know what the intentions of the next inhabitants of 10 Downing Street will be. It is therefore feasible to believe that there could be a change in legislative policy concerning data protection, and the ties that bind the country to the EU will therefore be broken in a more drastic way. Another variable to be considered is that declaring the UK as a country with an adequate level of protection is contingent upon the European Commission’s approval, which has to be carried out by means of a regulated procedure, where it is necessary to study numerous issues such as the functioning of a supervisory authority, case-law on the subject and the country’s international commitments, as well as the fact that the agreement has to be revised every four years.
Supposing that the second option, which is more realistic and conservative, is the one that is effectively followed, the situation would not be exempt from problems. The need for the aforementioned declaration by the Commission could mean that in the period of time between the actual departure from the EU and approval of the agreement, the UK will be considered a third country and any transfers made to it will be viewed as international data transfers. An indefinite time period would open up, in which companies from both sides would have to regulate their operations to comply with transitional legislation with an undetermined expiry date. In short, too many changes and requirements for a relatively short space of time. Added to that is the fact that the British State’s laws and practices on the subject of data protection will be monitored closely by EU regulators and subjected to detailed scrutiny.
It should be borne in mind that there are two sides to this dispute, and so the European Union’s reaction has to be assessed. Since it will be for the Commission to evaluate an agreement declaring the UK a kind of “safe harbour” in the event that the exit actually comes about, the European institution may place some tremendously demanding standards on its ex-member. Europe therefore has the power to subject British law to a comprehensive analysis that will reduce its negotiating leverage and force it to submit to iron-fisted control from Brussels so as not to end up in legislative limbo.
This declaration as a country with an adequate protection level will only be necessary if the UK, on abandoning the EU, decides not to be part of the European Economic Area. This is the option followed by the non-EEA member Switzerland. Since 2000, there has been an agreement with the Helvetian country, guaranteeing an adequate level of protection for the treatment of personal data in that State, as in the case of other territories such as the Isle of Man, Uruguay and New Zealand. In the event that the British opt to adhere to the EEA, European data protection laws will apply to them, and so sending data to the British Isles will not constitute an international data transfer.
Seeing that the option that is, let us say, peaceful, conservative, or close to the EU, is actually much more problematic than it initially appears, it cannot be ruled out that the incoming administration could make a much more drastic move and reform existing data protection laws to distance them from European legislation, over which there had been disagreement during the approval process, thus adopting a position that is more in keeping with the less protectionist principles of the Anglo-Saxon world. Since it seems counterproductive for them to isolate themselves in such a way, this option would appear to be less likely, although it can always be argued that if the EU has reached an agreement with the United States, it could also reach one with Great Britain in such a case.
In that regard, Christopher Graham from the Information Commissioner’s Office stated that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens”, and that “we will be speaking to government to present our view that reform of the UK law remains necessary”. It would therefore seem that the country’s relevant institutions in respect of this issue advocate maintaining the unity of EU and UK laws.
Regardless of which option is followed, the consequences are complex to say the least. The exit is based on Article 50 of the EU Treaty, according to which the withdrawing State and the Union will have to negotiate a withdrawal agreement, setting a date on which the treaties will cease to apply to the former. Where no such date has been established, the treaties will cease to apply two years after the European Council has been notified of the State’s intention to withdraw, a time period which can be extended. This term is vitally important, given that the EU General Data Protection Regulation (GDPR) will be coming into effect on 25 May 2018, and so it will more than likely apply to the UK for a certain period of time since a withdrawal agreement has yet to be reached. Things will therefore get messy: during the negotiation of the exit deal and the time period provided for same, the 1998 law stemming from an EU directive will continue to apply until May 2018, when the withdrawal will almost certainly not yet be effective, and so the GDPR will start to operate until the date on which the treaties will cease to apply is fixed. Also, once the Regulation comes into force, all companies and organisations, regardless of where they are based, will be required to comply with its provisions if they process EU citizens’ data. Therefore, when the time comes for the Regulation to cease to apply, a large number of British corporations will have to abide by its provisions in respect of a significant part of their activities.
We can confidently predict that British law will continue in line with European law for a considerable period of time, and so the aforementioned split will be a medium-term decision. The application of the Regulation in the UK will be a reality, and so for a while there will be calm as regards data protection on the continent. In fact, the UK, just like the other EU Member States, will have to transpose the recently approved (May) Council Directive concerning measures to ensure a high common level of network and information security across the Union into its domestic law; in other words, its legislation will keep pace with the rest of the Union for the time being.
Author: Martín Bello Castro
Visit our website: http://www.elzaburu.es/en