Brexit has made UK data protection and the right to privacy more uncertain and certainly, more complicated. But, “it is unlikely that UK regulations will pivot in a completely new direction,” said Tim Hickman, partner at White & Case LLP and renowned data protection law expert.
How can businesses navigate the increasingly complex EU compliance landscape?
UK’s data protection stance: it’s complicated
Upon the end of the transition period on 31st December 2020, the UK will cease to be treated as a Member State.
“Legally speaking, we are currently not an EU Member State, but under Articles 126-127 of the withdrawal agreement, during this year transition period, the UK is treated as a Member State for almost all purposes under EU law, and EU law continues to apply to the UK,” explained Hickman.
GDPR, therefore, is just as applicable now as it was on 30 January, the day before the UK exited the EU.
But, what happens at the end of this transition period? If no deal regarding data protection is agreed, the UK will become what is called a third country.
In this scenario, “it would be effectively as hard to send data from an EU Member State to the UK, as it would be to send the data to Mexico or India — or anywhere where the EU doesn’t currently have an adequacy decision arrangement,” continued Hickman.
This is why data (protection) is one of the things that the Prime Minister’s team are supposed to be negotiating with the EU commission.
“If the UK agrees a deal that involves an adequacy decision, where both parties agree data can be sent between the two, then as long the UK maintains the required legal standards, then there will be very few practical consequences of Brexit,” added Hickman.
If, as some predict, however, the UK doesn’t manage to agree a deal around data, then there will be significant practical consequences — it will be much harder, for example, for a multinational HQ’d in London to lawfully get data from one of its offices in Dublin or Frankfurt.
“To get data from these jurisdictions, the UK entity will be required to jump through hoops,” said Hickman.
These “hoops” can be satisfied by putting agreements in place. But, the problem with these type of agreements is that they have to include actions, like “third party enforcement clauses in favour of EU regulators,” according to Hickman.
Departing the EU will complicate the UK’s position on data (protection), unless the government is able to do a deal with commission that would allow for the continued free flow of data.
Brexit and the GDPR: what will happen to data transfers and data protection?
Alexander Edwards, partner at Rosling King, discusses the ongoing challenges Brexit poses to data transfers and data protection and what companies and organisations need to be aware of come exit day. Read here
The ICO’s position: a practical complication
The Information Commissioners Office (ICO) represents the UK’s main regulatory body for data protection.
But, following the UK’s departure from the EU, the ICO will no longer be formally part of the European Data Protection Board (EDPB) — the EU body made up of national regulator representatives of each EU member state.
The EDPB is also responsible for the “consistency mechanism”, which is a way of ensuring that individual national regulators are applying the law in a consistent manner. Where does this leave the ICO if it is not formally part of the EU? Again, this will depend on any deal.
“It’s been suggested that the EDPB is interested in keeping the ICO involved in some capacity, because it’s a net benefit to them. It doesn’t cost them anything and they get the benefit of the ICO’s inputs and contributions, if a deal is agreed,” explained Hickman.
If, however, the ICO doesn’t remain involved in the EDPB, then a challenge emerges in relation to dynamic alignment going forward.
Privacy regulators and the challenge of enforcement
UK data protection and the right to privacy: will the country drift away?
Presumably, EU law will become stricter over time, when it comes to the use of data. Will the UK follow this if it has no voice at the table? Or, will the UK start to drift away?
This remains an open question, but a lot will depend on how much technological investment the UK is putting into AI, as an example.
In the US and Asia, especially China, investment in AI is much higher than in Europe — in part, this has to do with regulation. It’s harder to use data lawfully in the UK (and EU) than it is in other regions.
Different traditions of privacy
Different Member States and different geographical regions have different traditions of privacy, and “views on the three-way tension between the right to freedom of expression, the need for national security and the right to privacy,” continued Hickman. “Every country sits somewhere within that triangle, with those three points pulling against each other.”
The EU leans towards the privacy corner of Hickman’s triangle, while the US is diametrically on the other side, balancing between national security and freedom of expression as its highest priorities. Traditionally, a focus on privacy has not been as strong. But, now, with the implementation of the CCPA and other laws, this could well change.
The UK has historically sat part-way between the EU and US positions on this issue. But, this focus could shift as the country is no longer tied to the EU’s legal structure.