Data protection: “Post-Brexit” data transfers and privacy standards

In February 2017, the UK Government published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a “post-Brexit” settlement.

The background

Chapter 8 of the white paper, entitled “Ensuring free trade with European markets”, confirms the Government’s intention to retain data protection standards in the UK which are equivalent to those in the EU.

The development

EU law, both in its current form through Directive 95/46/EC and in the General Data Protection Regulation (GDPR), which will apply from May 2018 onwards, restricts the transfer of personal data from the EU to “third countries” which do not have a level of data protection recognised as equivalent by the European Commission. The question is how the GDPR will apply after the UK’s exit from the EU.

The simple answer is that we do not know for sure where we will land. The white paper aims to commit the Government to seek a solution which preserves stable data transfers between the UK and EU once the UK offcially becomes a third country, essentially needing to prove to the EU that its approach to data protection is adequate in order to preserve the free flow of data and support the cross-border trade.

This could mean a host of action on the part of the UK to demonstrate adequate data protection and compliance. There is therefore a strong indication in the white paper that the UK is not planning to deviate significantly from the GDPR standards which it will adopt, particularly provided the extensive efforts already undertaken by the ICO when developing the GDPR framework.

Why is it important?

The GDPR represents a once-in-a-generation change in data protection and privacy law, which the UK Government, the ICO and businesses have been gearing up to for several years. Therefore, it is important to have some assurances that the preparation will not be in vain.

What’s next?

There are various models of how the EU data laws can apply to countries outside the EU and these could be applied to the UK “post-Brexit”:

• the European Free Trade Association (EFTA) approach where the UK would remain part of the European Economic Area (EEA), but not a member of Europe and would therefore need to implement EU data protection laws
• the Swiss Model where the UK would not be a member of the EEA but would remain in the EFTA which would mean the UK had to implement the GDPR and to some degree demonstrate the adequacy of its data protection
• go it alone. Then, the risk of being a third country for the purposes of data protection is a real risk and would require the UK to demonstrate (in the same way as the US does) its adequacy in complying with the EU data protection. This would result in an agreement which could be tested at any time (as the US Safe Harbour agreement recently was)…noting that the UK’s new Investigatory Powers Act is deemed by many to be even more draconian in the surveillance rights it grants to the authorities than those of their respective American colleagues.