GDPR regime emerges as early candidate for post-Brexit divergence
It is 'business as usual' for GDPR for now, but that may change given signals from the UK government
With the UK now out of the European Union, its foreign secretary, Dominic Raab (pictured), has said it will “not be aligning with EU rules” in any post-Brexit trade deal, arguing that agreeing to stick strongly with EU regulations would “defeat the point of Brexit”.
Given the regulatory burden the EU's new data proection regime has placed on companies, it may not come as a huge surprise that it has emerged as a candidate for divergence.
In the short term, a new domestic UK-GDPR (United Kingdom General Data Protection Rules) now takes effect, along with an amended version of the Data Protection Act 2018. However, these are technical measures with no material effect on the GDPR regime.
GDPR will still apply for the duration of the transition period, likely until December 31, 2020. The Information Commissioner's Office (ICO), the UK's data protection watchdog, issued a statement that hence “it will be business as usual for data protection".
Mark Taylor, a partner at Osborne Clarke, said: “In the short term, the UK is expected to retain GDPR in UK law with only limited changes - in essence, just those changes necessary to make the provisions of GDPR work once the UK is outside the EU (including the transition period).”
Notably, the ICO observes: “It is not yet known what the data protection landscape will look like at the end of the transition period and we recognise that businesses and organisations will have concerns about the flow of personal data in future.”
The ICO adds: “We will continue to monitor the situation and update our external guidance accordingly.”
Taylor said: “The more interesting question is the extent to which the UK anticipates evolving its data protection regime in the medium term, in particular in light of rapid technological advances such as AI. The UK has had data protection legislation since 1984 so GDPR-like legislation is unlikely to disappear. However, there may well be more flexibility built into UK legislation in due course to facilitate technological advances."
However, Taylor points out that any divergence from the EU's regime may carry risks.
“One potential constraining factor will be any adequacy decision from the EU in relation to data transfers in the UK. This is envisaged by the Withdrawal Agreement and Political Declaration and, if granted, will be subject to periodic review. Any significant divergence from (and in particular any perceived lowering of) EU standards around protection of personal data may well affect that adequacy decision.”