Data Protection and the General Data Protection Regulation in the UK Post-Brexit
Innumerable questions remain about the consequences of the Leave vote in the UK referendum in relation to issues such as the future relationship of the United Kingdom with the rest of the European Union, the changes that will need to be made to domestic law to reflect Brexit, and the scope of the amendments to domestic law if and to the extent that the UK no longer needs to satisfy requirements of EU law. The Information Commissioner has now made her first public pronouncement on the issue.
Data protection is of course an area where Brexit may have an impact. The new Information Commissioner, Elizabeth Denham, has now made her first public speech since being appointed in July. In this speech she made some observations on the impact of Brexit on data protection both generally and in relation to the EU General Data Protection Regulation (“GDPR”) which will become directly effective in all EU Member States on 25 May 2018.
In this speech Ms Denham made the point that, depending on the timing of Brexit, the GDPR may become effective before the United Kingdom exits the European Union, and acknowledged that the referendum result will make the job of the Information Commisioner's Office's ("ICO") “more challenging” and had thrown the ICO's data protection plans “into a state of flux". However, she emphasized that the ICO is “well prepared” and will continue to provide advice and guidance around GDPR. More specifically she suggested that domestic United Kingdom data protection legislation will still need to be aligned with EU data laws. In her view:
"The fact is, no matter what the future legal relationship between the UK and Europe, personal information will need to flow. It is fundamental to the digital economy. In a global economy we need consistency of law and standards – the GDPR is a strong law, and once we are out of Europe, we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK."
In Ms. Denham’s view the approach to maintaining such a legal regime post Brexit should be for domestic data protection legislation to be developed “on an evolutionary basis, to provide a degree of stability and clear regulatory messages for data controllers and the public” and to achieve “not a data protection regime that appeals because it is overly lax or 'flexible'” but “a progressive regulatory regime that stands up to scrutiny, that doesn’t leave the UK open to having rocks thrown at it by other regimes. And that has consistency and adequacy with the Europe."
As with so many areas affected by Brexit, the message at this stage appears to be to watch this space.