kamasigns - Fotolia

What happens to data protection when we leave the EU?

The UK was a keen participant in the formulation of new data protection laws for the European Union, but its electorate has since voted to leave the EU. How is that likely to affect data protection in the UK once Brexit is accomplished?

This article can also be found in the Premium Editorial Download: Computer Weekly: IT Priorities 2017: focus on flexibility

Companies are harvesting an increasing amount of our personal data in exchange for free use of their digital services and applications. To ensure this data is managed responsibly, companies are required to comply with data protection regulations, which are expected to include the European Union’s General Data Protection Regulation (GDPR). But this could all change when we leave the EU – so what does this mean for UK industry?

Personal data that is harvested by companies can range from names and dates of birth to our personal preferences and Internet browsing habits. Because of the highly personal nature of this information, it can be a valuable commodity for an assortment of companies – marketing, insurance, and so on – as well as to criminal organisations. It is for this reason that data protection legislation must reflect our current online society to ensure that the information we share is maintained responsibly.

The UK’s current data protection legislation is the Data Protection Act 1998, which sought to bring British law into line with the EU’s 1995 Data Protection Directive. The Data Protection Act covers these areas:

  • The obtaining and processing of personal data.
  • The storage and protection of obtained personal data.

One of the problems with the Data Protection Act is that since its inception in 1998, we have witnessed the proliferation of the internet, the advent of smartphones and foundations being laid for the internet of things, none of which was foreseen in the original legislation. “The act was made in 1995 and is way out of what it should be at the moment,” says Ran Berger, CEO of Flat Rock Technology.

The Data Protection Act is a lengthy piece of complex legislation. It affects the ways that companies conduct business, for example in how they determine who can be contacted for marketing purposes, which has led to permission-based marketing strategies.

To reflect the country’s current online habits, the UK’s data protection regulation needs updating. This view is shared by the new information commissioner of the Information Commissioner’s Office, Elizabeth Denham, who is the independent UK regulator enforcing the laws that govern privacy. 

“Both the ICO and the UK have pushed for reform of the EU law for several years,” wrote Denham in a recent blog post. “Growth in the digital economy requires public confidence in the protection of this information.”

Three categories

It is for this reason that the EU’s GDPR has been so welcomed by the business community. The GDPR is intended to bring the data protection laws for all EU member states into the 21st century. As such, the GDPR can be broadly broken down into three categories:

  • Return control of personal data back to the users.
  • Simplify the regulatory environment for data protection.
  • Appoint a data protection officer within companies where data processing is performed.

However, on 23 June 2016, 51.9% of the UK population voted to leave the EU. This means that when the UK leaves the EU, companies will no longer be obliged to follow EU laws and regulations, and will instead return to using UK laws.

Despite the recent High Court decision regarding how government must consult parliament before leaving the EU, the Prime Minister, Theresa May, has said she intends to trigger Article 50 of the Lisbon Treaty by the end of March 2017. Based on this announcement, it is assumed that the UK will have left the EU by the summer of 2019 – but this estimate depends on the precise timetable agreed during the negotiations.

As Denham admitted in her first speech as information commissioner: “The referendum result has thrown our data protection plans into a state of flux.”

The GDPR will become enforceable by law on 25 May 2018, when the UK will still be a member of the EU. This legislation will apply to all companies wishing to operate within the EU, wherever they operate from. So when we leave the EU, any UK companies that have part of their operations within the EU will have to continue abiding by this regulation.

So, in terms of data protection regulation, what happens after we leave the EU? Could those companies still wishing to conduct business within the EU face the dilemma of having to comply with two potentially contradictory pieces of data protection legislation?

No strategies revealed

This is unlikely, but the problem is that no data protection strategies have yet been revealed. “None of us really knows what is going to happen,” says Flat Rock’s Berger. His view is shared by Guy Marson, managing director of Profusion, who says: “It is almost impossible to predict at the moment.”

So what will happen after Brexit? There are three possible scenarios:

  • The UK leaves the EU and reverts to the previous Data Protection Act.
  • The UK leaves the EU and uses an entirely new data protection regulation.
  • The UK leaves the EU and uses a mirrored version of the GDPR.

The last option is the most likely scenario, because it is the most logical. “One can only assume and plan on the basis that whatever arrangement we have will be the same, or at least predominantly similar, as we have an overlap of being in and then out of the EU,” says Marson. “It would be prohibitively expensive and confusing for businesses across the board to comply one way and then not in another.”

Denham said in her speech: “No matter what the future legal relationship between the UK and Europe, personal information will need to flow. In a global economy, we need consistency of law and standard – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent.”

The recent publication of the UK Cyber Security Strategy, which outlines the UK’s network security strategy for the next five years, references the GDPR. “The timing does present a number of particular challenges in terms of understanding the detail requirements, in terms of when they come in,” says Hugo Rosemont, crime and security policy adviser for the British Retail Consortium. “But I think the assumption is actually there, in terms that industry is preparing for implementation of this new legislation.”

Efficient communication and smooth transactions are two of the key elements in a successful economy, which is why many expect the future data protection regulation to be based on the GDPR, although there may be some minor variations. This reflects what Denham said in her speech: “We want to keep selling to other members of the EU freely and without any data protection issues.”

Read more about the GDPR

In preparation for Brexit, the government will enact the Great Repeal Bill, which will bring to an end the primacy of EU law in the UK. Under this process, the Great Repeal Bill will incorporate EU legislation into UK law, after which the government will decide which parts to keep, change or retain.

During the Great Repeal Bill enactment, the government is expected to seek to enshrine the GDPR into UK law, to ensure that communication and trade continues to be shared smoothly with the EU after we leave. “I don’t think Brexit should mean Brexit when it comes to standards of data protection,” Denham told BBC Radio 4’s PM programme.

Overall, the GDPR has been welcomed by UK industry. “I welcome the opportunity because it is good for everyone,” says Berger. “It will create some standards, some compliances and potentially some governance.” But there will undoubtedly be some challenges in complying with the legislation.

Greater responsibility

The GDPR requires companies to accept far greater responsibility for the protection of user data, which will be overseen internally by the appointment of a data protection officer. “What will be very challenging will be around companies that pass on data for third parties,” says Marson. “If a customer asks for that not to happen, there is requirement for [the company] to not only assist in doing that themselves, but to also pass that information on to those they pass the data on to.”

Naturally, the more stringent regulations will mean greater costs for companies, and these costs will eventually filter down to the customer. “All we can say is that this will definitely impact on pricing, because there has be to more rigour around understanding where data is and the ability to access it as well,” says Marson.

Companies should not be lulled into thinking that, because the UK voted to leave the EU, the GDPR will no longer apply. “I cannot believe the GDPR will no longer apply,” says Marson. “I cannot believe there is the will or the interest or any benefit to do anything other than that. I just cannot see the practicality of doing anything else.”

Read more on Privacy and data protection