BREXIT: UK data protection laws should develop 'on an evolutionary basis' post-Brexit, says new information commissioner

Out-Law News | 30 Sep 2016 | 4:30 pm | 3 min. read

The UK should have new data protection rules in place by the time it leaves the EU and those rules should "be developed on an evolutionary basis" thereafter, the UK's new information commissioner Elizabeth Denham has said.

In her first speech since taking office, Denham suggested that it was likely that the new EU General Data Protection Regulation (GDPR) would apply in the UK before the UK leaves the EU.

She said, however, that if that is not the case or if the UK government decides to apply alternative rules to those in the GDPR post-Brexit, the UK rules would "still need to be deemed adequate or essentially equivalent" to the GDPR.

The GDPR will have effect from 25 May 2018. Denham said it looks like the UK will formally exit the EU in 2019 or later.

"We know it’s up to government what happens here, both in that middle period from May 2018 to whenever the UK formally leaves the EU, and beyond," Denham said in her speech in London.

"The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK," Denham said.

Denham said the Information Commissioner's Office (ICO) will "work with the law government give us", but is "determined to be part of [the] conversation" over the future of UK data protection laws.

"We don’t want to talk legislative minutiae, but to look at the key principles that should underpin the future of privacy law in the UK," Denham said.

"We believe that future data protection legislation, post Brexit, should be developed on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public. The aim here is not a data protection regime that appeals because it is overly lax or 'flexible'. The aim is a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe," she said.

Denham admitted that the UK's vote to leave the EU had thrown the ICO's "data protection plans into a state of flux". However, she said the watchdog still intends to issue guidance on GDPR compliance to businesses.

She said: "GDPR brings in new elements – and a more 21st century approach – the right of consumers to data portability is new, as is mandatory data breach reporting, higher standards of consent, and significantly larger fines for when companies get things wrong. But the major shift in the law is about giving consumers control over their data. It ties in with building trust and is also part of the ICO’s philosophy. We are helping you to get ready for the new law – and we will continue to provide advice and guidance around GDPR, whether you’re a business with 400 customers or 40 million."

In July Baroness Neville-Rolfe, UK minister responsible for data protection at the time, admitted it is not certain if the GDPR will apply in the UK.

"We do not know how closely the UK will be involved with the EU system in future," Neville-Rolfe said at the time. "On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way."

UK businesses that operate cross-border in the EU will have to comply with the GDPR if processing personal data of citizens based in the EU countries regardless of what legislation applies in the UK.

Data protection law specialist Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said recently that businesses should take steps now to prepare for the GDPR taking effect if they have not already done so.

"To avoid disrupting the company too much with major last minute changes, and incurring substantial costs in the process, it is vital that businesses operating in the EU take steps now to move towards compliance with the GDPR," Richard said. "Waiting until early 2018 or even late 2017 will be too late."