UK Must Comply With EU Privacy Law, Watchdog ArguesBut Brexit May Upend Data Protection and Notification Rules
Lawmakers and legal analysts are still struggling to analyze the impact of the June 23 referendum on Britain's membership in the European Union (see Brexit: What's Next for Privacy, Policing, Surveillance?).
In the wake of a majority of U.K. voters opting for Britain to leave the EU, the U.K.'s data protection office says that the country will still need to comply with the EU's data privacy rules, including the General Data Protection Regulation that comes into effect in May 2018 (see Mandatory Breach Notifications: Europe's Countdown Begins). Legal experts say it's likely that the U.K. will remain in the EU for two more years, meaning there would also be a window in which it would be legally required to comply with the GDPR - at least in theory.
"With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial."
The GDPR requires organizations to rapidly notify authorities and affected EU residents in the wake of a data breach that may have compromised personally identifiable information. Organizations that fail to comply with EU regulations could also face a fine worth up to 4 percent of their global annual revenue, no matter where they're based in the world.
"Logic would suggest that post #Brexit UK should align itself with #EUdataP & #GDPR but politics may get in the way," London-based attorney Eduardo Ustaran, a partner in the global privacy and cybersecurity practice at law firm Hogan Lovells, says via Twitter.
GDPR Compliance: Business Case
Despite a majority of British voters opting for their country to withdraw from the EU - and, as a result, from EU laws - the U.K. Information Commissioner's Office has already begun campaigning for Britain to comply with the GDPR in full, on business grounds.
"The Data Protection Act remains the law of the land irrespective of the referendum result," the ICO says in a June 24 statement, referring to the U.K. law that came into effect in 1998 to comply with the EU's 1995 Data Protection Directive. "If the U.K. is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the U.K. But if the U.K. wants to trade with the Single Market on equal terms, we would have to prove 'adequacy' - in other words U.K. data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018."
Demonstrating compliance with the GDPR would be required for U.K. businesses to thrive in the post-Brexit world, the ICO argues. "With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organizations and to consumers and citizens," it says. "Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the U.K. law remains necessary."
Adequacy? Prove It
Demonstrating "adequacy," however, won't necessarily be an easy undertaking. For starters, many elected EU officials continue to criticize the U.K.'s mass surveillance apparatus and have questioned whether it provides sufficient human rights safeguards for EU members (see Europe Seeks More Mass Surveillance). Parliament has also continued to debate a revised Investigatory Powers Bill to govern the country's surveillance practices. But the overhaul has long been derided by critics as being a "Snooper's Charter," and many legal experts say the draft legislation lacks the protections that the EU's high court has previously signaled that it wants to see (see UK Debates Rebooted 'Snooper's Charter').
"Ultimately the main question is whether the U.K. will still be considered a 'safe third country' by the EU Commission," attorney Linda Hynes, a senior associate at Dublin-based Leman Solicitors who specializes in data protection law, says in a blog post.
"In reality, the [ICO] in the U.K. is one of the most active and strong data protection commissioners in Europe in terms of fines, so if ICO commits to continuing this good work, then [the U.K.] is likely it will be deemed a safe third country," she says. "If this does not happen, then ... the issue of consent and justification for [data transfers] could become a big issue, which would be extremely complicated for multijurisdictional business who have headquarters in the EU and subsidiaries in the UK."
Will ICO Still Exist?
Meanwhile, the ICO is an office that was created to comply with the data privacy rules laid down by the EU for European member states. As Britain moves to exit the EU - and its 28 member states become instead 27 - and potentially rewrites the 1998 Data Protection Act, will the ICO itself continue to exist?
As with all things Brexit, the only sure answer to these and many other questions is: Stay tuned.