Back in 2016, the United Kingdom held a historic vote to decide on whether or not they wanted to stay in the European Union. The majority voted to leave, and since then it has been a circus of delays, deals, and extensions.
Almost four years later, Brexit may finally be happening, but what impact could it have on data protection? It’s a question that many businesses have not even begun to think of. Here’s what you need to know.
Deal or No Deal? – The Current Brexit Situation
There are two options for Brexit. The first is that the UK arranges some type of deal with the European Economic Area (EEA – the EU plus Iceland, Norway and Liechtenstein). A deal would allow both the UK and EEA to negotiate on what laws and agreements they would like to keep in place.
The second is that the UK leaves the EEA with no deal, meaning there is no agreement for things like trade, residency, data protection, freedom of movement, etc.
At the moment, it is still unclear what direction the UK is going to take as no deals have been passed by British parliament. With a general election taking place next month, things are very up in the air.
When it comes to what businesses should expect, things are incredibly vague. A no-deal Brexit could have a devastating effect on many businesses both large and small. Currently the EU is the UK’s largest trading partner, and given that many businesses run online shops, data has a big part to play.
If the UK manages to make a deal with the EEA, then it is likely that data protection laws will remain the same within Britain. If no deal is reached, then it could be disastrous for businesses.
What could happen with data protection?
Currently, data flows across borders between the UK and the rest of the EU. This makes trade significantly easier for businesses, in particular within digital industries like technology. The McKinsey Global Institute estimates that cross border data flows account for 3.8% of global GDP. In an advanced services-driven economy such as the UK, cross border data flows are likely to make up a much bigger proportion of GDP than that.
The UK is part of the General Data Protection Regulation (GDPR), giving it some of the world’s strongest data protection laws. This means that any personal information collected in other GDPR-protected countries can enter the UK without any barriers. This is because of the assurance that data will be equally protected in the country.
However, the UK also has its own data protection law: the Data Protection Act 2018. The Act supplements GDPR, and in some cases goes further than the regulation. In specific cases, the UK has stricter rules when it comes to data protection.
In the event of a no-deal Brexit, the Data Protection Act will make sure that data processed in the UK will maintain the same level of protection as it does now. However, under EU law, the UK will be considered a third country and not bound by GDPR rules. If the UK parliament decides to decrease their privacy standards, then data from EU countries would be unable to flow freely to the UK.
If there is no deal, then the UK will also be excluded from the US-EU Privacy Shield, which regulates the protection of data between the United States and the European Union. Claims have been made that the UK has brokered a deal with the US regarding the Privacy Shield, but it remains to be seen if it will actually be put into effect.
If a deal is reached with the EU, then it is likely that the UK will continue to uphold GDPR practices. There will also be a transition period once a deal is reached, giving businesses time to prepare for how they will need to manage data in the future. It should be noted that at the time of writing this article, no Brexit deal has been passed by British parliament.
The adequacy question
Initially, the UK hoped that the European Commission would grant it special status and allow information to flow freely across borders. The EU, however, has much different plans. It will access the UK for “adequacy” only once it has left the union. According to Article 46 and Article 47 of GDPR, this means that the EU will look at the current data regulations the UK has in place after Brexit, and determine whether or not they adequately match those in the EEA. Looking at past cases, the granting of adequacy can take anywhere from 18 months to five years.
If a deal is reached, then the determination of adequacy would take place during the transitional period. During this time, the UK would continue to abide by all EU regulations in order to avoid disruption, and it is reasonable to assume that things would progress smoothly.
However, if there is a no-deal Brexit, the results could be catastrophic. The UK could spend years in a data limbo, not to mention that there are a number of matters that could cause the UK to be denied adequacy.
The UK is currently part of the Five Eyes alliance – an intelligence pact between the UK, US, Canada, Australia, and New Zealand. The national security decisions made by member states in the alliance cannot be contested by the EU, but it certainly could come under scrutiny for its intelligence-gathering, which is not very conducive to data protection.
Under a no-deal scenario, while waiting for adequacy things get really tricky for small and medium-sized businesses. EU to UK data transfers will only be permitted under legal mechanisms set up by individual British companies, and most small and medium-sized businesses aren’t aware of the legal and technical difficulties that come with that. Many will need experts to come in, which is not only a lot of work but is also potentially very costly.
Given the current uncertainty regarding Brexit, there is little business owners can do right now. The Information Commissioner’s Office has posted some vague recommendations, and the government has issued a toolkit online, but aside from that guidance is scarce. It’s a very drawn-out waiting game, which has many business owners on edge.
Other data regulations that could be affected
There are a number of regulations, directives and laws currently in place when it comes to data protection in the EU. Here are the ones that may be affected by Brexit:
The Privacy and Electronic Communications Regulations (PECR)
This regulation is an EU law that covers marketing, electronic communications, and cookies. The PECR is established within the UK’s legal framework, and as a result, will continue to apply post-Brexit.
However, PECR is due for an update, which will come into effect after the UK leaves the EU, and the updated regulations will not apply in the UK. So far, there is no indication that UK laws will also be updated to match the new regulations.
The Directive on Security of Network and Information Systems (NIS)
The NIS was created to help increase cybersecurity. This is another law that is derived from the EU but is also incorporated into UK law. As such, the current rules will continue post-Brexit.
In the event of a no-deal Brexit, things get complicated. Businesses will be required to follow local NIS laws in each member state that they provide services in. This could get really complicated really fast, and most likely will require companies to appoint a representative specifically for the task.
The Electronic Identification, Authentication and Trust Services Regulation (eIDAS)
This regulation was enacted to put rules on electronic identification and trust services. While eIDAS is also an EU law, no such law matches it in the UK. As a result, the regulations will no longer apply post-Brexit unless it has been made a provision in a negotiated deal.
The UK government has said it will implement eIDAS on some level in the UK after Brexit, which hopefully will limit any disruption. Similarly to the NIS directive, businesses will need to follow eIDAS laws in EU member states.
Given the current state of UK politics, it is quite difficult to say which direction Brexit might take. This has taken a toll on business owners, in particular those of small and medium sized companies. Smaller businesses do not always have the resources to prepare for what could be a massive change when it comes to data protection and management.
All we can do for now is hope that things will become clearer over the next couple of months. Perhaps a deal can be struck between the UK and the EU to make data protection more amenable to everyone. Given the fact that the granting of adequacy could take well over a year without a deal in place and many people aren’t aware of this issue, we can only hope for the best.
For now, it is recommended that all business follow GDPR guidelines (you can look at our GDPR checklist to see if you are compliant).