Out-Law Analysis 5 min. read
04 Apr 2016, 9:39 am
Changes to the UK's data protection framework will happen regardless of which way the vote goes. If the UK votes to remain in the EU then the soon-to-be-finalised EU General Data Protection Regulation would apply to businesses operating in the UK or targeting UK-based consumers.
If the UK votes to leave the EU then there is considerably more uncertainty over UK data privacy rules. It is not yet clear what the nature of the UK's relationship with the EU would be post-exit, and the new General Data Protection Regulation could either apply in the UK or at least heavily influence how a post-exit UK data protection regime would look.
One of the outcomes businesses might hope for in the event the country votes to leave the EU is for the UK government, with fresh control over law making in the field of data protection, to cast aside the new Regulation and apply a less burdensome data protection regime in the UK.
However even if the UK votes to leave the EU it is still likely to have to implement similar data privacy rules to those included in the Regulation. That would be because of the restrictions EU law places on EU-based businesses transferring personal data outside of the European Economic Area (EEA). Transferring personal data from the EU to locations outside of the EEA is prohibited unless there is adequate data protection in place. There has been substantial disruption to data flows to the US because of concerns in this regard.
It is still unclear whether the UK would become a member of the EEA if it left the EU or whether the UK would hold a looser relationship with its EU neighbours in the event of an exit. If the UK was not in the EEA then the European Commission would face pressure from the business community for the European Commission to designate the UK as a territory that provides for adequate data protection – a so-called adequacy decision. If it did then organisations could more freely transfer personal data to the UK from destinations in the EU than would otherwise be the case.
The position that the Commission would take when reviewing the adequacy of data protection in a post-exit UK is hard to gauge. On the one hand there would be sound business advantages to EU traders if it was easier for them to engage the services of UK-based companies and transfer personal data to those businesses via a facilitating framework.
However, the Commission and the UK have had a fractious relationship on data protection issues for years. The UK's implementation of the existing EU Data Protection Directive into UK law via 1998's Data Protection Act is the subject of an ongoing threat of infraction proceedings to be brought by the Commission. The Snowden revelations, about the operations of US and UK intelligence agencies, have not helped improve continental Europe's perception of the way the UK addresses data protection issues either.
The circumstances in which UK government authorities, in particular GCHQ, could get access to personal data held by businesses for national security and other purposes would likely be scrutinised heavily by the Commission as part of any consideration it would make about whether the UK provides for adequate data protection in line with the requirements of EU law.
Clues as to the pressure the Commission would be under when coming to its decision are available from how the question of personal data transfers from the EU to the US has been addressed in recent months. EU-US data transfers have been subject to greater scrutiny since the EU-US safe harbour agreement was invalidated by the Court of Justice of the EU (CJEU) last October.
Keen to preserve smooth trading conditions across the Atlantic, the Commission entered into months of negotiations with US counterparts and devised the EU-US Privacy Shield with enhanced safeguards for privacy compared to the previous safe harbour regime. This period of negotiation followed months of previous negotiations on the same topic. The Commission has determined that the Privacy Shield should benefit from an adequacy decision.
However, EU data protection watchdogs – whose authority to investigate data transfer arrangements facilitated by Commission adequacy decisions was reconfirmed by the CJEU's ruling – have still to endorse the Privacy Shield. In addition, there remains the prospect of a legal challenge being brought by privacy campaigners who have already voiced their concerns with the framework.
In this context it is unlikely that a UK exit from the EU would spur a major change of direction on data protection policy by UK policy makers from that being pursued under the General Data Protection Regulation.
London is seen by many international businesses as a gateway to the rest of Europe. Changes to data privacy rules that do not accord, in the eyes of Brussels policy makers, with EU law could jeopardise that gateway status. Businesses want consistent data privacy rules across national borders in Europe and might think twice about laying foundations in the UK if using UK data centres would not give them an automatic pass to provide services across the whole of the EU.
In the event of a vote to leave, the UK government might attempt to address that concern by bringing data protection issues into negotiations with the EU over a new trade agreement. It might leverage trade benefits in return for a softening of EU positions and a more pragmatic approach to privacy issues. The prospect of this being successful would appear slim, though. EU officials have regularly decried US attempts to deal with data protection as part of broader negotiations on an EU-US trade deal. Europe frames data protection as part of a fundamental rights agenda, the US sees it as an economic right.
If the UK did not benefit from an adequacy decision by the Commission it would not prevent organisations sending personal data to the UK from the EU. It would however make data transfer arrangements more cumbersome. Firms would likely need to deploy a range of legal, technical and organisational measures to underpin those transfers, with precise measures changing possibly on a case-by-case basis. This could have cost and administrative burdens for businesses and be likely to impair the UK's competitive position.
There might be some flexibility for tahe UK to exempt businesses from some of the more burdensome provisions of the General Data Protection Regulation, though, whilst still benefiting from an EU adequacy decision.
We know from issues the UK government has regularly raised about the plans for the new Regulation what types of changes it would make to data protection rules if it had the chance. Obligations on organisations to employ data protection officers and stiff rules around consent could potentially be relaxed, for example, should the UK exit the EU. Smarter regulation would be an attractive proposition.
Smarter policy making to support the use of big data analytics in the UK in medical research, where the UK is a global leader, and in a number of other areas, might arise if the UK votes to leave the EU. How the UK would manage to achieve that and at the same time ensure it received an EU adequacy finding to support cross-border trade would be an important question relating to data privacy to emerge from any Brexit.
Pending June's vote, the UK government has outlined plans to enhance arrangements around the sharing of citizen data within the public sector in the aim of improving people's welfare and reducing fraud. This pre-empts exemptions for the public sector catered for in the new Regulation. These plans raise questions about the public sector's commitment to best practices in data protection.
Marc Dautlich is an expert in data protection law at Pinsent Masons, the law firm behind Out-Law.com.