< Back

Share |

Brexit – data protection law is here to stay, isn't it?

January 2017

Even before the EU Referendum results were known, the Information Commissioner's Office (ICO) was clear that "the UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU."

The government has since confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). This is not an enormous surprise given that we will still be part of the EU when the GDPR comes into effect on 25 May 2018. The government has also announced that EU-derived law will be brought into the scope of UK law under the 'Great Repeal Bill'.

The situation is not quite as simple though as this stated intention suggests. There are complex questions once we leave regarding regulatory oversight, for example. The European Data Protection Board will have the final say in certain disputes and there is an intricate arrangement in place in relation to regulatory responsibility when personal data flows between Member States. Quite simply, parts of the GDPR will simply not work once the UK is outside the EU, particularly if it does not leave on terms which either make it a member of the EEA or give it access to the Single Market.

A case for light touch data privacy laws?

It is possible that Brexit may allow the UK to consider this as a fresh opportunity to review the GDPR, with a possible move to a lighter touch regime than the one under the GDPR. This would inevitably mean reversing the complete adoption of the GDPR. What would follow and how much 'lighter' such a new privacy regime could be, well no amount of gazing into the crystal ball can answer that now.

Reality hits home?

The UK as a 'data protection haven' (in the sense of a 'tax haven') may be appealing to some but the reality is likely to be more prosaic. In all reality it is difficult to see how the UK could not implement privacy laws that are substantially similar and, arguably, at least equivalent to the GDPR.

Geographically, the UK may be separated from the European mainland, but in terms of its global positioning and the vast number of multinational businesses based in the UK, the international picture cannot be ignored when it comes to understanding what type of data privacy laws we will need to have in place. For example, exporting (often also referred to as 'transferring') personal data from Europe to countries outside of the EEA is subject to restrictions. The EU views local data privacy laws as important to establish that an adequate regime of data privacy law exists in the recipient country and also that robust solutions exist to legitimise such exports, for example, by using Binding Corporate Rules and Model Clauses. There has been significant disruption around the need to establish valid solutions for US data flows because of concerns in this regard.

Against the uncertainty of not knowing whether we will join the EEA and what the future relationship with Europe will look like, it is almost inevitable that the European Commission will be pushed to consider whether the UK provides for a data protection regime which is 'adequate' i.e. provides an equivalent level of data protection to the EU. A Commission-issued adequacy decision (of the type already issued for a select number of countries) would allow for the free movement of personal data to the UK from Europe without the need for taking further steps to put tools of legitimisation in place. The Commission would, of course, need to consider the robustness of the data protection law regime in the UK before making such a decision and this, in itself, would create a level of uncertainty.

Putting aside the difficult task of predicting what the exact shape of the UK data protection law could be, if judged by previous actions of the Commission, it is as clear as day is that a lighter touch data protection regime in the UK would not impress the Commission enough for it to grant the UK an adequacy finding.

Add to the equation that the UK and the Commission have a history of not seeing eye to eye regarding the UK's ability to implement data protection laws to the standards required by Europe and it becomes an even more uphill task for the UK to feel confident that a deal over adequacy could be struck in the short term.

There are parallels to be drawn here with the furore around the striking down of the adequacy decision which underpinned Safe Harbor. Recently, we saw the Article 29 Working Party (WP) provide a cautious response to the proposed replacement for Safe Harbor, the EU-US Privacy Shield, and this lack of endorsement has meant that the uncertainty around data exports between Europe and the US continues. The UK could fall into a similar situation of uncertainty should any 'arrangement' be sought to pave the way for an adequacy finding for the UK after Brexit. Of course, Model Clauses and Binding Corporate Rules remain viable options subject to further twists and turns of the data exports roller-coaster, but the range of options would most likely be considerably restricted under any data protection regime which did not mirror that of the GDPR.


The invalidation of Safe Harbor following the Schrems decision handed down by the Court of Justice of the European Union (CJEU) is likely to inform the approach of the Commission if it has to make an adequacy assessment of the UK's post-Brexit data protection regime. One of the key concerns of the CJEU in Schrems was the difficulty of being able to assess the proportionality and necessity of the access to EU personal data by US public authorities for national security and related purposes. The WP, when presenting its findings on the Privacy Shield, has laboured the fact the consideration for adequate data protection in line with the requirements of EU law in this regard is not just a matter for the US, but also applies to other countries and that is not the first time that there have been rumblings that the UK is already pushing at the limits of what is permissible under EU data protection law in this area.

The enactment of the controversial Investigatory Powers Act 2016 (IPA), at the end of last year, will only serve to make the UK's position more precarious in the eyes of the Commission. The wide ranging potential access to personal data by various public authorities is more than a little reminiscent of the powers that national security agencies in the USA have in respect of EU personal data. While the IPA does include safeguards and a requirement to consider human rights and privacy issues, that does not mean that the Commission will consider it has sufficient oversight over whether access to EU personal data by the UK authorities is necessary or proportionate.

The UK will need to continue to 'box clever' and strike a balance between privacy laws that are robust yet also smart for its global positioning and encouraging growth in areas such as technology, big data, life sciences and medical research. The UK will have to tackle these uncertainties to ensure that data privacy obstacles do not become a barrier to trade and commerce, especially given the UK's major role as a hub, base and launch-pad for international business.

As to how the UK will strike that balance, less reliance on that crystal ball and more leadership in terms of the UK's positioning on the world privacy stage will be required. Anything less would be short-changing the UK and the businesses that wish to internationalise from and through the UK.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Brexit – data protection law is here to stay, isn't it?
Vin Bange

Vin Bange      

With new EU data protection law recently approved, Vin considers whether much will change in the world of data protection following the UK's decision to leave the EU.

"The UK will need to continue to 'box clever' and strike a balance between privacy laws that are robust yet also smart for its global positioning."