Kim Roberts of King & Spalding considers the impact of the referendum result on the UK's data privacy laws.
The British public’s vote to leave the European Union has wide-ranging implications for many aspects of the law, with one growing area of focus being Brexit’s potential impact on the UK’s data privacy laws.
There are several significant new developments coming from the EU and the potential effect of Brexit on the UK’s legal framework on data privacy is currently uncertain.
The first question is what will be the likely status of the General Data Protection Regulation (GDPR) as a result of Brexit?
The GDPR was passed into law in late April 2016, and has an implementation timetable of two years until it becomes effective. It took three years to negotiate the GDPR, the rationale behind it being the need to address the fragmented approach to data privacy law across the EU and to modernise the legislative framework applicable in the EU.
The GDPR is an EU Regulation. Regulations rely on the principle of direct effect, which means that they are directly implemented into the law of each member state without the need for domestic legislation and have immediate effect. The GDPR is due to come into force in April 2018 and will have direct effect in each EU member state.
Now the UK has now voted to leave the EU, which may or may not happen by mid to late 2018, making predictions about the likely implications for specific pieces of legislation is challenging, particularly where legislation is not part of national law. It is anticipated that that the UK Parliament will consider the implementation of any legislation that is pending in advance of the UK leaving the EU. Parliament may decide to effect the implementation of the GDPR by way of independent UK law. This may mean that the GDPR is adopted in its current form in the UK. Alternatively, a different version of the GDPR may be adopted in the UK.
The Information Commissioner’s Office (ICO) reports on the necessity to implement the GDPR in a form at least equivalent to the enhanced standards in the GDPR. The Information Commissioner stated: “If the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy' - in other words UK data protection standards would have to be equivalent to the GDPR framework starting in 2018. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary."
In the meantime, the UK maintains its current regime around data protection law, having implemented its own domestic legislation compliant with the existing EU Data Protection Directive as applicable across the EU.
Similar issues arise in respect of the new agreement reached between the EU and the US on the Data Privacy Shield, adopted by the European Commission on 12 July 2016. The Data Privacy Shield replaces the previous Safe Harbor agreement, which was invalidated by the Court of Justice of the European Union (CJEU) last October. Safe Harbor had allowed US companies to self-certify that they would comply with more stringent EU data protection standards so as to allow for the free transfer of data from the EU to the United States. Since October 2015, there have been extensive negotiations over an improved form of agreement with enhanced protections for data subjects in relation to data transfers from the EU to the US. Once adopted, the Data Privacy Shield aims to enhance the privacy standards and provide a significantly improved framework to protect data flowing from Europe to the United States.
In terms of the UK’s participation in the Data Privacy Shield agreement once the UK leaves the EU, the country will no longer automatically be within the ambit of the Data Privacy Shield. Data transfers will inevitably also be catered for in the UK’s strategy in respect of data privacy law generally, as otherwise our ability to secure a finding of ‘adequacy’ when it comes to cross-border data transfers from the EU will be threatened, with the inevitable knock on effect on cross-border EU/UK and UK/US commerce.
Lastly, on 6 July 2016, the European Parliament gave final approval to the Network and Information Security Directive. It establishes the first set of fundamental cybersecurity and breach reporting obligations applicable specifically in the EU for companies supplying essential services in industries such as energy, transportation, banking and health, as well as in digital mediums such as search engines and cloud computing. The new directive requires providers to implement “technical and organisational measures” that are “appropriate and proportionate” to the cyber risks they face, will ensure the security of their information systems and prevent and minimise the impact of security incidents.
Directives (as law making instruments) are generally not directly effective in EU member states and require implementation via domestic law. Again, it seems likely that the UK will adopt its own national law equivalent to the standard of the EU directive on cyber security. So far, however, this is unchartered territory and we await formal conformation from the government and the ICO about their proposals on a cybersecurity legal framework for the UK.
It seems likely that the UK's data protection standards will remain on a par with the EU despite the Brexit vote. Whilst there may be little clarity so far around what kind of future relationship the UK will maintain with the EU or how this will be implemented and regulated, the mood from the ICO so far clearly points to a parallel system of data privacy laws and protections operating in the UK.
Kim Roberts is an employment and data, privacy and security specialist at American law firm King & Spalding.