UK Data Protection: A little part of us that will forever be Europe?

In the pre-23 June 2016 world of certainty, stability and legislative timetabling, British businesses knew that, so far as their data protection obligations were concerned, they would have a couple of years to comply with the requirements of the new EU General Data Protection Regulation (GDPR), which was adopted in April this year and takes effect from 25 May 2018.

Most would agree that some reform was necessary. The current EU data protection regime is based on the Data Protection Directive, introduced in 1995. Our very own Data Protection Act (DPA), which brought British laws on data protection in line with that Directive, was enacted, for the most part, over 15 years ago, in an era when phones weren’t “smart”, online marketing was in its infancy, employee records were still largely kept in metal filing cabinets and binoculars were a useful surveillance tool. A lot has changed.

What has also – possibly – changed is the UK’s future requirement to enact EU Directives into domestic law. So, as several of our clients have already asked in the past couple of weeks, what now for the GDPR?  Should we brief senior management, designate a Data Protection Officer, update our Subject Access Procedure and so on? Or should we assume the GDPR will never apply?

Afraid we can’t really say definitively.

This was the view of the Information Commissioner, Christopher Graham, in a recent press release:-

“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s [Information Commissioner’s Office’s] role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”

However, the Government view is rather less positive. The UK minister responsible for data protection, Baroness Neville-Rolfe, recently acknowledged that “for a period the future will be more uncertain” and that it is not certain if the GDPR will apply in the UK:-

“On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.”

So what is the best approach now for a forward-thinking and well-prepared business?

• Certainly, continue to ensure carefully that you understand and comply with obligations under the DPA. As the ICO has stated in its advice on the GDPR, “many of the principles in the new legislation are much the same as those in the current DPA. If you are complying properly with the current law, then you have a strong starting point to build from. But there are important new elements, and some things will need to be done differently.”
• Monitor developments and ensure you are ready to respond. For example, if the GDPR is enacted, you will need to designate a Data Protection Officer or equivalent.
• And, finally, please don’t assume that we will avoid enacting the GDPR. Any UK business involved in cross border transfers of personal data in the EU post-Brexit (and that is potentially a huge number, be this employee or customer data) will, in all likelihood, need to be subject to national data protection laws at least as stringent as those envisaged by the GDPR, or those transfers will become far, far more difficult.

The problems that can easily arise where another national regime is not viewed as stringent enough was very well demonstrated after the Schrems decision in the European Court of Justice last year (which related to Facebook’s transfers of personal data to the US).  This struck down the EU-US “Safe Harbour” agreement which had allowed personal data to be transferred legally between EU countries and the US for 15 years and which some 4,000 US companies relied on. Teams of EU and US negotiators have been valiantly trying to put in place a replacement for over two years, but this is not yet agreed and may not even be effective legally. Don’t for a minute think it would be easier for the UK and EU to negotiate a post-Brexit Safe Harbour-style agreement!

And the alternatives – so-called “Binding Corporate Rules” within a corporate group or a binding data transfer agreement between a data transferor in an EU country and a data recipient in the UK – would each be subject to approval from relevant national data protection regulators, bringing inevitable delay and expense.

In short, enactment of the GDPR (or something closely equivalent) into our national law, despite some of its more onerous aspects, might well be the preferred option for businesses which carry out data transfer from and to the EU.